[Pki-users] Problem with Subject Alternative Name Extension

Riccardo Brunetti riccardo.brunetti at to.infn.it
Tue Mar 20 10:54:47 UTC 2012 

Dear pki-users.

I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes:

Criticality = not critical
Type = RFC822Name
Value = the email of the requestor.

I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:

policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=Extension Constraint
policyset.cmcUserCertSet.8.constraint.params.extCritical=false
policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default
policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1

The input certificate request is generated using certutil and CMCEnroll and the command used is the following:

certutil -R -g 2048 -s "<the-subject>" -7 "<the-requestor-email>" -d <a-local-dir> …… 

The certificate is generated, but the extension is not populated with the email address and I always get:

Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: no 
                    Value: 
                        RFC822Name: $request.requestor_email$

These are the installed packages:

pki-java-tools-9.0.18-1.fc15.noarch
pki-selinux-9.0.18-1.fc15.noarch
pki-setup-9.0.18-1.fc15.noarch
pki-ca-9.0.18-1.fc15.noarch
dogtag-pki-common-theme-9.0.10-1.fc15.noarch
pki-symkey-9.0.18-1.fc15.x86_64
pki-native-tools-9.0.18-1.fc15.x86_64
dogtag-pki-ca-theme-9.0.10-1.fc15.noarch
pki-console-9.0.5-1.fc15.noarch
pki-util-9.0.18-1.fc15.noarch
dogtag-pki-console-theme-9.0.10-1.fc15.noarch
pki-common-9.0.18-1.fc15.noarch 

Does anybody have some suggestion on how to solve this issue? Any input would be very appreciated.

Best Regards
Riccardo

Riccardo Brunetti
INFN-Torino
Tel: +390116707295
riccardo.brunetti at to.infn.it

More information about the Pki-users mailing list