[Pki-users] Problem with Subject Alternative Name Extension

Torino riccardo.brunetti at to.infn.it
Tue May 15 13:56:49 UTC 2012 

Il 20/03/12 12 15:27, Riccardo Brunetti ha scritto:
>
> Thanks Joshua for the prompt reply and answer.
> I used the User Supplied Extension Default and it works.
>
> Thank you very much again
>
> Best Regards
> Riccardo
>
> Riccardo Brunetti
> INFN-Torino
> Tel: +390116707295
> riccardo.brunetti at to.infn.it <mailto:riccardo.brunetti at to.infn.it>
>
>
>
>
> On 20/mar/2012 12, at 12:29, Joshua Roys wrote:
>
>> On 03/20/2012 06:54 AM, Riccardo Brunetti wrote:
>>>
>>> Dear pki-users.
>>>
>>> I'm trying to setup a pki-ca instance to produce X509 certificates
>>> which include a Subject Alternative Name Extension with the
>>> following attributes:
>>>
>>> Criticality = not critical
>>> Type = RFC822Name
>>> Value = the email of the requestor.
>>>
>>> I'm using the Signed CMC-Authenticated User Certificate Enrollment
>>> profile and this is the relevant section of my
>>> /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:
>>>
>>> policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
>>> policyset.cmcUserCertSet.8.constraint.name=Extension Constraint
>>> policyset.cmcUserCertSet.8.constraint.params.extCritical=false
>>> policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
>>> policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
>>> policyset.cmcUserCertSet.8.default.name=Subject Alternative Name
>>> Extension Default
>>> policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
>>> policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
>>> policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
>>> policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
>>> policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1
>>>
>>> The input certificate request is generated using certutil and
>>> CMCEnroll and the command used is the following:
>>>
>>> certutil -R -g 2048 -s "<the-subject>" -7"<the-requestor-email>"
>>> -d<a-local-dir>  ……
>>>
>>> The certificate is generated, but the extension is not populated
>>> with the email address and I always get:
>>>
>>> Identifier: Subject Alternative Name - 2.5.29.17
>>>                     Critical: no
>>>                     Value:
>>>                         RFC822Name: $request.requestor_email$
>>>
>>
>> Hello,
>>
>> In short, the email is not being looked at because
>> $request.requestor_email$ is created through the WebUI through an
>> input box (Requestor Email).  See [1] for some more variables.  You
>> may want to configure the caFullCMCUserCert to copy all subjAltNames
>> in the input to the output certificate using the User Supplied
>> Extension Default (with 2.5.29.17 as the argument):
>> "This default populates a User-Supplied Extension (2.5.29.17) to the
>> request."
>>
>> Josh
>>
>> [1]
>> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>
Dear Pki-users.
I'm having the same problem when trying to generate user certificates
using the web user interface provided by the RA subsystem.
In short, when I request a user certificate using the "User Enrollment"
link in the RA web interface, I'm presented a form in which I enter the
UID, Full Name, Site ID and email.
The certificate which is produced after the RA agent approves the
request contains again an extension like:

Identifier: Subject Alternative Name - 2.5.29.17
                     Critical: no
                     Value:
                         RFC822Name: $request.requestor_email$

The email is contained in the DN of the certificate, which is not what I
want.
I tried to modify the profile caDualRAuserCert, changing the policy 8 as
Josh suggested above, but the answer is that the extension is not found.

Do you have some suggestions?

Thanks a lot
Riccardo

-- 
-------------------
Riccardo Brunetti
INFN - Torino
Tel: +390116707295
Skype: rbrunetti
-------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20120515/e119cdcd/attachment.htm>

More information about the Pki-users mailing list