[Pki-users] Modify Certificate Profies - include SubjectAltName

Wed Apr 30 17:16:59 UTC 2008

If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension 
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.

It depends how the request hadEbbe Hansen wrote:
>
> Looking at the ‘CAUserCert.cfg’ profile (first profile on the WEB 
> Agent profile-list) it appears it should trigger the inclusion of the 
> “SubjectAltName” extension. I have not been successful generating any 
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as ‘Null’ – even 
> after editing the ‘Null’ to the desired RFC822 value, the issued 
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I 
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential 
> and/or proprietary information and may be subject to privilege or 
> exempt from disclosure under applicable law. These materials are 
> intended only for the use of the intended recipient. If you are not 
> the intended recipient of this electronic message, you are hereby 
> notified that any use of this message is strictly prohibited. Delivery 
> of this message to any person other than the intended recipient shall 
> not constitute any waiver of any privilege. If you have received this 
> message in error, please delete this message from your system and 
> notify the sender immediately. Thank you."
>
> ------------------------------------------------------------------------
>
> *From:* pki-users-bounces at redhat.com 
> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users at redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com 
> <mailto:cfu at redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If 
> you add your own new profiles, you need to modify <Dogtag install 
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and 
> add the corresponding "class_id" and "config" (see the existing 
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that 
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in 
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced 
> users who know what they are doing. Make sure the certs produced still 
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I 
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the 
> current CA environment I manager, I deal with customizing profiles. Is 
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically 
> ties to the EKU
>
> On our current CA software, a config file is modified to customize 
> profiles. Also there is some DER encoding required to convert the 
> appropriate text.
>
> Is this feature available?
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>   