[Pki-users] Configurable Subject Alt Name in Cert Profile?
Marc Sauton
msauton at redhat.com
Wed Jan 23 07:38:45 UTC 2013
Hello Ryan,
I tried something with
pki-ca-8.1.0-11
and could not see the subject DN escape exceptoin, may be the request
was formed differently, in my test enrollment form created by a profile
with this:
...
input.i4.class_id=genericInputImpl
input.i4.params.gi_display_name0=testmssan
input.i4.params.gi_param_enable0=true
input.i4.params.gi_param_name0=testmssan
input.i4.params.gi_num=1
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*
policyset.userCertSet.1.constraint.params.accept=true
policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.userCertSet.1.default.name=Subject Name Default
policyset.userCertSet.1.default.params.name=
policyset.userCertSet.1.default.params.dnpattern=CN=$request.testmssan$
policyset.userCertSet.1.default.params.ldap.enable=false
...
policyset.userCertSet.8.constraint.class_id=noConstraintImpl
policyset.userCertSet.8.constraint.name=No Constraint
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.userCertSet.8.default.name=Subject Alt Name Constraint
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameExtCritical=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.8.default.params.subjAltExtType_0=DirectoryName
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.testmssan$
...
So in the enrollment form I provided with
UID testmssan
...
Generic Input
testmssan: cn=testmssan,ou=people,dc=example,dc=com
And i got a cert issued with:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: yes
Value:
DirectoryName:
CN=testmssan,OU=people,DC=example,DC=com
Thanks,
M.
On 01/21/2013 06:58 AM, ryan.millay at gdc4s.com wrote:
>
> RHEL 5.8
>
> Red Hat CS 8.1
>
> I'm hoping this should be a relatively straight forward question and
> others have run into something similar:
>
> When generating a certificate, is it possible to dynamically
> include/not include the Subject Alt Name field based on an LDAP
> parameter? When looking at the certificate profile there's a
> "subjAltExtGNEnable" parameter, but I don't believe that can be set to
> a request parameter, like $request.includeSAN$ for example, based on
> the testing I've done.
>
> Assuming that the "subjAltExtGNEnable" field must be static text,
> perhaps there is another work around. If included, the Subject Alt
> Name in this case would represent a user's full DN. If not included,
> the request parameter could be left blank and the Subject Alt Name
> would be empty. Here's a little snippet from the cert profile:
>
> policyset.CSCertSet.7.constraint.class_id=noConstraintImpl
>
> policyset.CSCertSet.7.constraint.name=No Constraint
>
> policyset.CSCertSet.7.default.class_id=subjectAltNameExtDefaultImpl
>
> policyset.CSCertSet.7.default.name=Subject Alternative Name Extension
> Default
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_0=true
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_1=false
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_2=false
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_3=false
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_4=false
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_0=$request.pkisponsordn$
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_1=
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_2=
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_3=
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_4=
>
> policyset.CSCertSet.7.default.params.subjAltExtType_0=DirectoryName
>
> policyset.CSCertSet.7.default.params.subjAltExtType_1=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltExtType_2=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltExtType_3=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltExtType_4=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltNameExtCritical=false
>
> The issue that arises here is the CA fails with an IO exception from
> the $request.pkisponsordn$ format. That value is a user DN, similar to
>
> CN=FIRSTNAME.LASTNAME, OU=ORGANIZATION, OU=ORGANIZATION2, O=COUNTRY,
> C=COUNTRYCODE. The CA's debug log shows the '=' and the ',' being
> escaped by backslashes. The CA then fails to populate the Subject Alt
> Name due to the following error:
>
> SubjectAltNameExtDefault: populate java.io.IOException: Unknown AVA
> keyword 'CN\'.
>
> Is there a way to properly escape the user DN so it can be used in the
> Subject Alt Name? Again, the ultimate goal being the user DN could be
> populated or not. If populated, it is included as the Subject Alt
> Name. If not populated, the Subject Alt Name is left blank when the
> certificate is generated.
>
> Thank you,
>
> Ryan Millay
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130122/fc32efeb/attachment.htm>
More information about the Pki-users
mailing list