<div dir="ltr">opened ticket<div><div><a href="https://pagure.io/dogtagpki/issue/2979">https://pagure.io/dogtagpki/issue/2979</a></div><div>SAN in internal SSL server certificate in pkispawn configuration step</div></div><div><br></div><div>community comments welcome.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 30, 2018 at 8:24 AM, Rafael Leiva-Ochoa <span dir="ltr"><<a href="mailto:spawn@rloteck.net" target="_blank">spawn@rloteck.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="auto"> Yes, Making this a default will make it much easier.</div><div><div class="h5"><br><div class="gmail_quote"><div>On Fri, Mar 30, 2018 at 8:14 AM Marc Sauton <<a href="mailto:msauton@redhat.com" target="_blank">msauton@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Yes,sorry, I forgot to mention the profile used for the internal SSL server certificate at configuration needed to be copied from /usr/share/pki/ca/conf/<wbr>serverCert.profile.<wbr>exampleWithSAN<div>Should we make this a default setting?</div><div>Thanks,</div><div>M.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 29, 2018 at 10:05 PM, Rafael Leiva-Ochoa <span><<a href="mailto:spawn@rloteck.net" target="_blank">spawn@rloteck.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Found the solution here...Thanks again!<div><br></div><div><a href="https://www.redhat.com/archives/pki-devel/2015-April/msg00077.html" target="_blank">https://www.redhat.com/<wbr>archives/pki-devel/2015-April/<wbr>msg00077.html</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 29, 2018 at 8:06 PM, Rafael Leiva-Ochoa <span><<a href="mailto:spawn@rloteck.net" target="_blank">spawn@rloteck.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>sending to alias also...<div><div class="m_-5819574964423330008m_-1604416429726596638h5"><div><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017h5"><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Rafael Leiva-Ochoa</b> <span><<a href="mailto:spawn@rloteck.net" target="_blank">spawn@rloteck.net</a>></span><br>Date: Thu, Mar 29, 2018 at 3:35 PM<br>Subject: Re: [Pki-users] SAN for Launch page.<br>To: Marc Sauton <<a href="mailto:msauton@redhat.com" target="_blank">msauton@redhat.com</a>><br><br><br><div>It did not work. I am still getting SAN errors when using the Launch page. I viewed the Cert that was issued to the launch page, and it is still missing the SAN. Here is my ca.cfg:<div><br></div><div>




<span></span>





<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">[CA]</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_admin_email=<a href="mailto:caadmin@test.com" target="_blank">caadmin@test.<wbr>com</a></span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_admin_name=caadmin</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_admin_nickname=caadmin</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_admin_password=xxxxxxxx</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_admin_uid=caadmin</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85);min-height:15px"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_san_inject=True</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_san_for_server_cert=<a href="http://dogtag-ca-root.test.com" target="_blank">dogtag<wbr>-ca-root.test.com</a></span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85);min-height:15px"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_client_database_password=<wbr>xxxxxxxx</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_client_database_purge=<wbr>False</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_client_pkcs12_password=<wbr>xxxxxxxxxx</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85);min-height:15px"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_ds_base_dn=dc=test,dc=com</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_ds_database=pki-tomcat</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_ds_password=xxxxxxx</span></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85);min-height:15px"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264gmail-s1" style="font-variant-ligatures:no-common-ligatures">pki_ca_signing_subject_dn=cn=<wbr>TEST Root CA,ou=TEST Certification Authority,c=US</span></p>


<br></div><div><br></div><div>Thanks,</div><div><br></div><div>Rafael</div></div><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135HOEnZb"><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 29, 2018 at 2:50 PM, Rafael Leiva-Ochoa <span><<a href="mailto:spawn@rloteck.net" target="_blank">spawn@rloteck.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Thanks, I will give that a try.</div><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264HOEnZb"><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 29, 2018 at 12:57 PM, Marc Sauton <span><<a href="mailto:msauton@redhat.com" target="_blank">msauton@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Try to add to the pkispawn config file, for example:</div><div><div>pki_san_inject=True</div><div>pki_san_for_server_cert=<a href="http://ca01.example.com" target="_blank">ca01.<wbr>example.com</a>,<a href="http://ca02.example.com" target="_blank">ca02.example.com</a>,<a href="http://ca.example.com" target="_blank">c<wbr>a.example.com</a></div></div><div><br></div><div>Note for the "non-internal" certificates, there is a way to modify enrollment profiles to add a SAN, but a recent updated feature is described in the page at<br></div><div><a href="http://www.dogtagpki.org/wiki/PKI_10.4_Copy_CN_To_SAN" target="_blank">http://www.dogtagpki.org/wiki/<wbr>PKI_10.4_Copy_CN_To_SAN</a><br></div><div><div><br></div><div>Thanks,</div></div><div>M.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264m_-4665455240758013227h5">On Thu, Mar 29, 2018 at 11:42 AM, Rafael Leiva-Ochoa <span><<a href="mailto:spawn@rloteck.net" target="_blank">spawn@rloteck.net</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264m_-4665455240758013227h5"><div>Hi Everyone,<div><br></div><div>    I am trying to build a new CA, and I am using the ca.cfg file to create the CA, but when I create the CA, the SAN is missing from the website cert (:8443). I am trying to look for the right value to put on the ca.cfg file for the SAN, so the the launch page does not give me SAN errors. Here is what I found, but nothing relating to the SAN:</div><div><br></div><div><pre style="font-family:monospace,Courier;color:rgb(0,0,0);background-color:rgb(249,249,249);border:1px solid rgb(221,221,221);padding:1em;white-space:pre-wrap;line-height:1.1em;font-size:12.7px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">[CA]
pki_admin_email=<a href="mailto:caadmin@example.com" target="_blank">caadmin@<wbr>example.com</a>
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=<wbr>Secret.123
pki_client_database_purge=<wbr>False
pki_client_pkcs12_password=<wbr>Secret.123

pki_ds_base_dn=dc=ca,dc=pki,<wbr>dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=<wbr>EXAMPLE</pre>Any ideas?</div><span class="m_-5819574964423330008m_-1604416429726596638m_8577873645339814017m_-7563115669208077135m_-7447381700793642264m_-4665455240758013227m_136172861415737915gmail-HOEnZb"><font color="#888888"><div><br></div><div>Rafael</div></font></span></div>
<br></div></div>______________________________<wbr>_________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/pki-users</a><br></blockquote></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></div><br></div></div></div></div></div></div>
</blockquote></div><br></div>
</blockquote></div><br></div>
</blockquote></div></div></div></div>
</blockquote></div><br></div>