[Pki-users] DogTag 1.3 and Subject Alternate Name
Marc Sauton
msauton at redhat.com
Tue Aug 31 19:13:04 UTC 2010
On 08/31/2010 11:43 AM, Gaiseric Vandal wrote:
>
> I have installed DogTag 1.3 Certificate Server (CA and RA) components
> on Fedora Core 11.
>
> I want to configure a server certificate with a Subject Alternate Name.
>
>
> I used openssl to create a private key and a certificate signing
> request on the server in question.
>
> openssl genrsa -out server1.key -des3 1024
> openssl req -new -key server1.key -out server.csr
>
>
> I am prompted along the way to include an e-mail address and subject
> alternate name. Both are permitted but optional in my openssl.cnf file.
>
> I can look at the csr with
> openssl req -in server.csr -text
>
>
>
>
> By default, openssl by default recreates a req with the following line
>
> Subject: C=US, ST=California, L=MyCity, O=MyCompany, OU=IT,
> CN=server.company.com/subjectAltName=www.company.com/emailAddress=mymail at company.com
>
>
>
>
> You can see that e-mail and SAN are part of the CN attribute.
>
> I went to the "Certificate System RA Services Page"
> (https://myserver:12890) - > SSL End Users Services -> Server
> Enrollment -> Request Submission. I pasted the contents of the csr
> file into the web page. The administrator (i.e. me) gets e-mail
> notification of a certificate request, and follows the link to
> approve it. However if I have included either e-mail or SAN the
> request will fail because the subject name doesn't match.
>
> CA: Request Rejected - Subject Name Not Matched
> E=mymail at company.com,CN=server.company.com,OU=IT,O=My
> Company,L=MyCity,ST=California,C=US
>
>
>
>
> If I compare the dogtag error message to the original csr file I can
> see that dogtag expects a different syntax for e-mail. Dogtag
> expects it as a separate "E" attribute (It still seems to have
> translated the attributes appropriately but then complains the
> subject doesn't match.) I can work around this by either omitting
> e-mail in the csr altogether or explicitly setting the subject
> attribute with the "openssl req -subj"
>
> -> openssl req -new -key server.key -out server.csr -subj
> "/E=mymail at company.com,CN=server.company.com,OU=IT,O=My Company
> Name,L=MyCity,ST=California,C=US"
> Enter pass phrase for server.key:
> Subject Attribute E has no known NID, skipped
> ->
>
>
> However, I can't figure out how to make this work for the Subject
> Alternate Name.
>
> DogTag rejects the certificate with
>
> CA: Request Rejected - Subject Name Not Matched E=mymail at company.com
> ,2.5.29.17=www.company.com,CN=server....
>
For this error, if you enroll for a user cert, see the CA profile
/var/lib/pki-ca/profiles/ca/caDualRAuserCert.cfg
and change the default configuration for
policyset.userCertSet.1.constraint.params.pattern=.*UID=.*
to match your needs
>
> Is there a "NID" parameter than dogtag expects for SAN?
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100831/df8cb801/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6642 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100831/df8cb801/attachment.p7s>
More information about the Pki-users
mailing list