[Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch

Christina Fu cfu at redhat.com
Mon Apr 20 21:24:40 UTC 2015

This patch allows SAN to be specified for the server cert during 
It ports some of the code from now obsolete 8.1 errata that dealt with 
IP port separation, and added needed pkispawn config parameters and 
example enrollment profile with SAN patterns

note: the installation part of san injection code ported was originally 
authored by mharmsen, while the backend SAN input code (authored by 
myself) was already ported earlier for other purpose.

* under /usr/share/pki/ca/conf, you will find a new file called 
* copy existing serverCert.profile away and replace with 
* edit serverCert.profile.exampleWithSANpattern
   - follow the instruction right above 8.default.
   - save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
   - follow the instruction right above policyset.serverCertSet.9
   - save and quit
* save away and edit the ca config file for pkispawn: (note: you can add 
multiple SAN's delimited by ',' for pki_san_server_cert
   - add the following lines, e.g.
   - do the same pkispawn cfg changes for kra or any other instances 
that you plan on creating
* create your instance(s)
   check the sl sever cert, it should contain something like the following:

                 Identifier: Subject Alternative Name -
                     Critical: no
                         DNSName: host1.Example.com

More information about the Pki-devel mailing list