[Pki-users] keygen support in RA
Andrew Wnuk
awnuk at redhat.com
Sat Jun 4 00:41:00 UTC 2011
On 06/03/2011 11:14 AM, Mike Helm wrote:
> Andrew Wnuk writes:
>> On 06/02/2011 08:04 PM, Mike Helm wrote:
>>> I'm trying to support keygen-provisioned browsers in the RA.
>>> I can do almost everything needed, but I can't figure out how
>>> to get the subject name into the certificate.
>>>
>>> I can definitely get the CA to pick up the subject name as
>>> a parameter, but either I am not giving it the right name in the
>>> parameter blob, or something else is amiss. What the CA does
>>> is issue these RA-approved requests with the a subject name the
>>> same as the CA's.
>> Michael,
>>
>> You may try to change policy form "Subject Name Default" to "User
>> Supplied Subject Name Default" in the profile generating your certificate.
> Thanks, I will try this.
>
>>
>>> (Non-keygen requests are processed differently and the subject AVAs
>>> should be embedded in the request. It would be nice to be able
>>> to have RA agents edit request subject names before submission, tho.)
>> You need to customize RA's UI to add subject name components not
>> provided by current UI.
> That is _exactly_ what I am in the midst of doing. I can do whatever
> I need to do on the client (RA javascript) side, but I don't know how
> to get the subject components to the CA itself - I've sent it all
> kinds of things& successfully gotten it to write the certificate
> subjectaltname component, but not the subject.
>
> Our plan is to let the profile handle all the policy attributes and
> only bring over the user/ee - specific content. That's our use case.
>
> If anyone else is working on this I'd be delighted to work with you.
> There are a lot of browsers we can support if we can keygen support
> out to the RA.
>
> Thanks, ==mwh
Which browser are you trying to support?
More information about the Pki-users
mailing list