[Pki-users] keygen support in RA
Mike Helm
helm at fionn.es.net
Fri Jun 3 18:14:05 UTC 2011
Andrew Wnuk writes:
> On 06/02/2011 08:04 PM, Mike Helm wrote:
> >
> > I'm trying to support keygen-provisioned browsers in the RA.
> > I can do almost everything needed, but I can't figure out how
> > to get the subject name into the certificate.
> >
> > I can definitely get the CA to pick up the subject name as
> > a parameter, but either I am not giving it the right name in the
> > parameter blob, or something else is amiss. What the CA does
> > is issue these RA-approved requests with the a subject name the
> > same as the CA's.
>
> Michael,
>
> You may try to change policy form "Subject Name Default" to "User
> Supplied Subject Name Default" in the profile generating your certificate.
Thanks, I will try this.
>
>
> >
> > (Non-keygen requests are processed differently and the subject AVAs
> > should be embedded in the request. It would be nice to be able
> > to have RA agents edit request subject names before submission, tho.)
>
> You need to customize RA's UI to add subject name components not
> provided by current UI.
That is _exactly_ what I am in the midst of doing. I can do whatever
I need to do on the client (RA javascript) side, but I don't know how
to get the subject components to the CA itself - I've sent it all
kinds of things & successfully gotten it to write the certificate
subjectaltname component, but not the subject.
Our plan is to let the profile handle all the policy attributes and
only bring over the user/ee - specific content. That's our use case.
If anyone else is working on this I'd be delighted to work with you.
There are a lot of browsers we can support if we can keygen support
out to the RA.
Thanks, ==mwh
More information about the Pki-users
mailing list