[Pki-users] setting DNSName in subjectAltName extension
Marc Sauton
msauton at redhat.com
Tue Aug 14 23:05:57 UTC 2012
On 08/14/2012 03:26 PM, Mike Helm wrote:
>
> I need to set DNSName in server subjectAltname extensions, but
> having difficulty getting the server's name into this field.
>
> I've read this:
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
>
> I can set the RFC822name value using this (see table B-15)
> $request.requestor_email$
> by making sure there's a requestor_email=something in the GET from the
> RA. There really isn;t anything that corresponds to what DNSName should
> be but I expected $request.subject$ would do; I added subject=some.thing.dom,
> but no, I get "$request.subject$" as a literal string.
>
> I also tried the obviously wrong example in Example B.1 (before the table) -
> policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$
> same thing, $request.SAN1$ literal.
>
> I can set subjAltExtPattern_1 to my own literal string, but obviously that's
> counterproductive. I can set it to $request.requestor_email$ and get the email
> address in DNSName - if I didn't have cases where BOTH subjectAltName fields
> were needed I'd just re-purpose requestor_email.
>
> So - what works and how? I'm stumped. Any ideas appreciated. Thanks, ==mwh
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
something like this should work fine:
policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl
policyset.encryptionCertSet.8.constraint.name=No Constraint
policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint
policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=true
policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=8
#
policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.encryptionCertSet.8.default.params.subjAltExtType_0=IPAddress
policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=10.1.2.3
#
policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_1=true
policyset.encryptionCertSet.8.default.params.subjAltExtType_1=RFC822Name
policyset.encryptionCertSet.8.default.params.subjAltExtPattern_1=$request.SAN1$
#
policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_2=true
policyset.encryptionCertSet.8.default.params.subjAltExtType_2=RFC822Name
policyset.encryptionCertSet.8.default.params.subjAltExtPattern_2=$request.requestor_email$
More information about the Pki-users
mailing list