[Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch
Christina Fu
cfu at redhat.com
Mon Apr 20 21:24:40 UTC 2015
This patch allows SAN to be specified for the server cert during
installation.
It ports some of the code from now obsolete 8.1 errata that dealt with
IP port separation, and added needed pkispawn config parameters and
example enrollment profile with SAN patterns
note: the installation part of san injection code ported was originally
authored by mharmsen, while the backend SAN input code (authored by
myself) was already ported earlier for other purpose.
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can add
multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
More information about the Pki-devel
mailing list