[Pki-users] Modify Certificate Profies - include SubjectAltName

Marc Sauton msauton at redhat.com
Thu May 1 01:25:04 UTC 2008 

Ebbe Hansen wrote:
> I have succeeded adding the SubjectAltName extension - it turns out the
> Policy settings in the DogTac CA is set to capture the "Requestor Email"
> field while the Subject's Email field is the value that go into the 'E='
> part of the DN!
>
> Is this by "intend" or can/should the Profile file(s) be modified to
> guarantee the email values in the DN and the SubjectAltName cannot be
> different (i.e. abounding a typical user-introduced error).
>   
The dn can be customized in a profile, e.g.:
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*

The SubjectAltName extension configuration in a profile has just a 
default value for an example which you can tune to your needs in a 
profile, e.g.:
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$

Profiles and the web ui can be customized.
Some doc links:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Certificate_Profiles-About_Certificate_Profiles.html
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-Subject_Alternative_Name_Extension_Default.html

M.
> Ebbe @ SPYRUS
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
>
> -----Original Message-----
> From: Marc Sauton [mailto:msauton at redhat.com] 
> Sent: Wednesday, April 30, 2008 10:17 AM
> To: Ebbe Hansen
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] Modify Certificate Profies - include
> SubjectAltName
>
> If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
> has
> policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
> estor_email$
> policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
> and the enrollment request has an e-mail, the subject alt name extension
>
> field should be correctly initialized upon certificate issuance.
> You may want to turn on some debug in CS.cfg
> debug.enabled=true
> debug.level=0
> and see your debug log for more details.
> M.
>
> It depends how the request hadEbbe Hansen wrote:
>   
>> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB 
>> Agent profile-list) it appears it should trigger the inclusion of the 
>> "SubjectAltName" extension. I have not been successful generating any 
>> certicites where the SubjectAltName extension is included!
>>
>> In the Agents display the SubjectAltName is listed as 'Null' - even 
>> after editing the 'Null' to the desired RFC822 value, the issued 
>> certificate always comes without any SubjectAtltName extension?
>>
>> What can I do to get the CA to include the SubjectAltName extension? I
>>     
>
>   
>> am always specifying an email value in the request field!
>>
>> Ebbe
>>
>> "This message and any attached documents contain SPYRUS confidential 
>> and/or proprietary information and may be subject to privilege or 
>> exempt from disclosure under applicable law. These materials are 
>> intended only for the use of the intended recipient. If you are not 
>> the intended recipient of this electronic message, you are hereby 
>> notified that any use of this message is strictly prohibited. Delivery
>>     
>
>   
>> of this message to any person other than the intended recipient shall 
>> not constitute any waiver of any privilege. If you have received this 
>> message in error, please delete this message from your system and 
>> notify the sender immediately. Thank you."
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> *From:* pki-users-bounces at redhat.com 
>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
>> *Sent:* Wednesday, April 09, 2008 10:10 PM
>> *To:* pki-users at redhat.com
>> *Subject:* Re: [Pki-users] Modify Certificate Profies
>>
>> Thanks. That worked.
>>
>> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com 
>> <mailto:cfu at redhat.com>> wrote:
>>
>> Profiles can be configured in <Dogtag install root>/profiles/ca. If 
>> you add your own new profiles, you need to modify <Dogtag install 
>> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>>     
>
>   
>> add the corresponding "class_id" and "config" (see the existing 
>> entries in CS.cfg as example), and restart the CA.
>>
>> In addition, Dogtag provides flexible plugin infrastructure that 
>> allows people to customize various areas. Profile is one of them.
>> The standard profile related polugins code is in 
>> pki/base/common/src/com/netscape/cms/profile/. That's for advanced 
>> users who know what they are doing. Make sure the certs produced still
>>     
>
>   
>> comply.
>>
>> hope this helps.
>> Christina
>>
>> Chris wrote:
>>
>>
>> Sorry, hit the send by mistake....
>>
>> I've succesfully installed Dogtag. The documentation was clear and I 
>> didn't have any issues.
>> My question is in regards to customizing certificate profiles. In the 
>> current CA environment I manager, I deal with customizing profiles. Is
>>     
>
>   
>> there a way to create customized certificate profiles?
>> The fields which apply are:
>> CertificatePolicies
>> - Policy Identifier
>> - User Notice with custom text
>> ExtendedKeyUsage
>> - New Key Usage OID
>> Also, in one profile, we've created a new field that programically 
>> ties to the EKU
>>
>> On our current CA software, a config file is modified to customize 
>> profiles. Also there is some DER encoding required to convert the 
>> appropriate text.
>>
>> Is this feature available?
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>   
>>     
>
>

More information about the Pki-users mailing list