[Pki-users] Configurable Subject Alt Name in Cert Profile?

Marc Sauton msauton at redhat.com
Wed Jan 23 07:38:45 UTC 2013 

Hello Ryan,
I tried something with
pki-ca-8.1.0-11
and could not see the subject DN escape exceptoin, may be the request 
was formed differently, in my test enrollment form created by a profile 
with this:
...
input.i4.class_id=genericInputImpl
input.i4.params.gi_display_name0=testmssan
input.i4.params.gi_param_enable0=true
input.i4.params.gi_param_name0=testmssan
input.i4.params.gi_num=1
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*
policyset.userCertSet.1.constraint.params.accept=true
policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.userCertSet.1.default.name=Subject Name Default
policyset.userCertSet.1.default.params.name=
policyset.userCertSet.1.default.params.dnpattern=CN=$request.testmssan$
policyset.userCertSet.1.default.params.ldap.enable=false
...
policyset.userCertSet.8.constraint.class_id=noConstraintImpl
policyset.userCertSet.8.constraint.name=No Constraint
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.userCertSet.8.default.name=Subject Alt Name Constraint
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameExtCritical=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.8.default.params.subjAltExtType_0=DirectoryName
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.testmssan$
...

So in the enrollment form I provided with
UID testmssan
...
Generic Input
testmssan: cn=testmssan,ou=people,dc=example,dc=com

And i got a cert issued with:
                 Identifier: Subject Alternative Name - 2.5.29.17
                     Critical: yes
                     Value:
                         DirectoryName: 
CN=testmssan,OU=people,DC=example,DC=com

Thanks,
M.

On 01/21/2013 06:58 AM, ryan.millay at gdc4s.com wrote:
>
> RHEL 5.8
>
> Red Hat CS 8.1
>
> I'm hoping this should be a relatively straight forward question and 
> others have run into something similar:
>
> When generating a certificate, is it possible to dynamically 
> include/not include the Subject Alt Name field based on an LDAP 
> parameter?  When looking at the certificate profile there's a 
> "subjAltExtGNEnable" parameter, but I don't believe that can be set to 
> a request parameter, like $request.includeSAN$ for example, based on 
> the testing I've done.
>
> Assuming that the "subjAltExtGNEnable" field must be static text, 
> perhaps there is another work around.  If included, the Subject Alt 
> Name in this case would represent a user's full DN.  If not included, 
> the request parameter could be left blank and the Subject Alt Name 
> would be empty.  Here's a little snippet from the cert profile:
>
> policyset.CSCertSet.7.constraint.class_id=noConstraintImpl
>
> policyset.CSCertSet.7.constraint.name=No Constraint
>
> policyset.CSCertSet.7.default.class_id=subjectAltNameExtDefaultImpl
>
> policyset.CSCertSet.7.default.name=Subject Alternative Name Extension 
> Default
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_0=true
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_1=false
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_2=false
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_3=false
>
> policyset.CSCertSet.7.default.params.subjAltExtGNEnable_4=false
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_0=$request.pkisponsordn$
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_1=
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_2=
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_3=
>
> policyset.CSCertSet.7.default.params.subjAltExtPattern_4=
>
> policyset.CSCertSet.7.default.params.subjAltExtType_0=DirectoryName
>
> policyset.CSCertSet.7.default.params.subjAltExtType_1=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltExtType_2=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltExtType_3=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltExtType_4=RFC822Name
>
> policyset.CSCertSet.7.default.params.subjAltNameExtCritical=false
>
> The issue that arises here is the CA fails with an IO exception from 
> the $request.pkisponsordn$ format. That value is a user DN, similar to
>
> CN=FIRSTNAME.LASTNAME, OU=ORGANIZATION, OU=ORGANIZATION2, O=COUNTRY, 
> C=COUNTRYCODE.  The CA's debug log shows the '=' and the ',' being 
> escaped by backslashes. The CA then fails to populate the Subject Alt 
> Name due to the following error:
>
> SubjectAltNameExtDefault: populate java.io.IOException: Unknown AVA 
> keyword 'CN\'.
>
> Is there a way to properly escape the user DN so it can be used in the 
> Subject Alt Name?  Again, the ultimate goal being the user DN could be 
> populated or not.  If populated, it is included as the Subject Alt 
> Name.  If not populated, the Subject Alt Name is left blank when the 
> certificate is generated.
>
> Thank you,
>
> Ryan Millay
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130122/fc32efeb/attachment.htm>

More information about the Pki-users mailing list