[Pki-users] Modify Certificate Profies - include SubjectAltName
Marc Sauton
msauton at redhat.com
Thu May 1 01:25:04 UTC 2008
Ebbe Hansen wrote:
> I have succeeded adding the SubjectAltName extension - it turns out the
> Policy settings in the DogTac CA is set to capture the "Requestor Email"
> field while the Subject's Email field is the value that go into the 'E='
> part of the DN!
>
> Is this by "intend" or can/should the Profile file(s) be modified to
> guarantee the email values in the DN and the SubjectAltName cannot be
> different (i.e. abounding a typical user-introduced error).
>
The dn can be customized in a profile, e.g.:
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*
The SubjectAltName extension configuration in a profile has just a
default value for an example which you can tune to your needs in a
profile, e.g.:
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
Profiles and the web ui can be customized.
Some doc links:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Certificate_Profiles-About_Certificate_Profiles.html
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-Subject_Alternative_Name_Extension_Default.html
M.
> Ebbe @ SPYRUS
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
>
> -----Original Message-----
> From: Marc Sauton [mailto:msauton at redhat.com]
> Sent: Wednesday, April 30, 2008 10:17 AM
> To: Ebbe Hansen
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] Modify Certificate Profies - include
> SubjectAltName
>
> If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
> has
> policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
> estor_email$
> policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
> and the enrollment request has an e-mail, the subject alt name extension
>
> field should be correctly initialized upon certificate issuance.
> You may want to turn on some debug in CS.cfg
> debug.enabled=true
> debug.level=0
> and see your debug log for more details.
> M.
>
> It depends how the request hadEbbe Hansen wrote:
>
>> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
>> Agent profile-list) it appears it should trigger the inclusion of the
>> "SubjectAltName" extension. I have not been successful generating any
>> certicites where the SubjectAltName extension is included!
>>
>> In the Agents display the SubjectAltName is listed as 'Null' - even
>> after editing the 'Null' to the desired RFC822 value, the issued
>> certificate always comes without any SubjectAtltName extension?
>>
>> What can I do to get the CA to include the SubjectAltName extension? I
>>
>
>
>> am always specifying an email value in the request field!
>>
>> Ebbe
>>
>> "This message and any attached documents contain SPYRUS confidential
>> and/or proprietary information and may be subject to privilege or
>> exempt from disclosure under applicable law. These materials are
>> intended only for the use of the intended recipient. If you are not
>> the intended recipient of this electronic message, you are hereby
>> notified that any use of this message is strictly prohibited. Delivery
>>
>
>
>> of this message to any person other than the intended recipient shall
>> not constitute any waiver of any privilege. If you have received this
>> message in error, please delete this message from your system and
>> notify the sender immediately. Thank you."
>>
>>
>>
> ------------------------------------------------------------------------
>
>> *From:* pki-users-bounces at redhat.com
>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
>> *Sent:* Wednesday, April 09, 2008 10:10 PM
>> *To:* pki-users at redhat.com
>> *Subject:* Re: [Pki-users] Modify Certificate Profies
>>
>> Thanks. That worked.
>>
>> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com
>> <mailto:cfu at redhat.com>> wrote:
>>
>> Profiles can be configured in <Dogtag install root>/profiles/ca. If
>> you add your own new profiles, you need to modify <Dogtag install
>> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>>
>
>
>> add the corresponding "class_id" and "config" (see the existing
>> entries in CS.cfg as example), and restart the CA.
>>
>> In addition, Dogtag provides flexible plugin infrastructure that
>> allows people to customize various areas. Profile is one of them.
>> The standard profile related polugins code is in
>> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
>> users who know what they are doing. Make sure the certs produced still
>>
>
>
>> comply.
>>
>> hope this helps.
>> Christina
>>
>> Chris wrote:
>>
>>
>> Sorry, hit the send by mistake....
>>
>> I've succesfully installed Dogtag. The documentation was clear and I
>> didn't have any issues.
>> My question is in regards to customizing certificate profiles. In the
>> current CA environment I manager, I deal with customizing profiles. Is
>>
>
>
>> there a way to create customized certificate profiles?
>> The fields which apply are:
>> CertificatePolicies
>> - Policy Identifier
>> - User Notice with custom text
>> ExtendedKeyUsage
>> - New Key Usage OID
>> Also, in one profile, we've created a new field that programically
>> ties to the EKU
>>
>> On our current CA software, a config file is modified to customize
>> profiles. Also there is some DER encoding required to convert the
>> appropriate text.
>>
>> Is this feature available?
>>
>>
>>
> ------------------------------------------------------------------------
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
> ------------------------------------------------------------------------
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>
>
More information about the Pki-users
mailing list