[Pki-users] Modify Certificate Profies - include SubjectAltName
Marc Sauton
msauton at redhat.com
Wed Apr 30 17:16:59 UTC 2008
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
>
> Looking at the ‘CAUserCert.cfg’ profile (first profile on the WEB
> Agent profile-list) it appears it should trigger the inclusion of the
> “SubjectAltName” extension. I have not been successful generating any
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as ‘Null’ – even
> after editing the ‘Null’ to the desired RFC822 value, the issued
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
> ------------------------------------------------------------------------
>
> *From:* pki-users-bounces at redhat.com
> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users at redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If
> you add your own new profiles, you need to modify <Dogtag install
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
> add the corresponding "class_id" and "config" (see the existing
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
> users who know what they are doing. Make sure the certs produced still
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing profiles. Is
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list