[Pki-users] Problem with Subject Alternative Name Extension

Joshua Roys Joshua.Roys at gtri.gatech.edu
Tue Mar 20 11:29:23 UTC 2012 

On 03/20/2012 06:54 AM, Riccardo Brunetti wrote:
>
> Dear pki-users.
>
> I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes:
>
> Criticality = not critical
> Type = RFC822Name
> Value = the email of the requestor.
>
> I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:
>
> policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
> policyset.cmcUserCertSet.8.constraint.name=Extension Constraint
> policyset.cmcUserCertSet.8.constraint.params.extCritical=false
> policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
> policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
> policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default
> policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
> policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
> policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
> policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
> policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1
>
> The input certificate request is generated using certutil and CMCEnroll and the command used is the following:
>
> certutil -R -g 2048 -s "<the-subject>" -7"<the-requestor-email>" -d<a-local-dir>  ……
>
> The certificate is generated, but the extension is not populated with the email address and I always get:
>
> Identifier: Subject Alternative Name - 2.5.29.17
>                      Critical: no
>                      Value:
>                          RFC822Name: $request.requestor_email$
>

Hello,

In short, the email is not being looked at because 
$request.requestor_email$ is created through the WebUI through an input 
box (Requestor Email).  See [1] for some more variables.  You may want 
to configure the caFullCMCUserCert to copy all subjAltNames in the input 
to the output certificate using the User Supplied Extension Default 
(with 2.5.29.17 as the argument):
"This default populates a User-Supplied Extension (2.5.29.17) to the 
request."

Josh

[1] 
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20120320/41148671/attachment.p7s>

More information about the Pki-users mailing list