From sbernst at gmail.com Tue Jul 1 19:10:04 2014 From: sbernst at gmail.com (sbernst at gmail.com) Date: Tue, 1 Jul 2014 19:10:04 +0000 Subject: [Pki-users] =?utf-8?q?Pki-users_Digest=2C_Vol_76=2C_Issue_1?= In-Reply-To: References: Message-ID: <53b30887.691cb60a.23d6.ffffc9f2@mx.google.com> Christina, Thank you so much for the help! :-) Steven From: pki-users-request at redhat.com Sent: ?Tuesday?, ?July? ?1?, ?2014 ?11?:?00? ?AM To: pki-users at redhat.com Send Pki-users mailing list submissions to pki-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/pki-users or, via email, send a message with subject or body 'help' to pki-users-request at redhat.com You can reach the person managing the list at pki-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Pki-users digest..." Today's Topics: 1. Re: ECC entity certificate signing and Dogtag (Christina Fu) ---------------------------------------------------------------------- Message: 1 Date: Mon, 30 Jun 2014 11:15:24 -0700 From: Christina Fu To: pki-users at redhat.com Subject: Re: [Pki-users] ECC entity certificate signing and Dogtag Message-ID: <53B1A93C.5090005 at redhat.com> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Hi Steven, NSS softtoken provides ECC on F20 out of box (https://bugzilla.redhat.com/show_bug.cgi?id=1019244 ). During installation, you just want to make sure that you select the right option accordingly. On the client side, the current firefox version supports CRMF key gen with EC. You can try it on one of the enrollment profiles at the EE port. From the CLI, certutil works well. You can do something like the following to get PKCS#10: certutil -d . -R -k ec -q nistp256 -s "CN=test2014" -a -o req.test2014 Christina On 06/27/2014 10:02 AM, sbernst at gmail.com wrote: > Hi there... It has been suggested that this is likely a question for > CFU (Christina). > > How and where do I get the libraries to get ECC working on DogTag on > FC20? Specifically looking to sign client side generated PKCS#10 key > blobs. The Dogtag 10 release from 17 Jan 2013 suggested that this > might be supported, but Info from the link below says that, "Certicom > software tokens could not be used because of an issue with malformed > private keys." > https://www.redhat.com/archives/pki-users/2013-January/msg00001.html > > So what all is required to sign ECC generated requests? (not planning > on use of TMS interface at this point). I saw that bug Bug 986831 says > that, "Some tools are broken for ECC with NSS token alone," (from the > 10.1 release announcement from November of last year > https://www.redhat.com/archives/pki-users/2013-November/msg00001.html) > > but I'm not authorized to view its details. (I mention this to > demonstrate that I'm trying to do my homework on this issue before > asking for help.) > > Thank you so much, in advance, for any and all help. > > - Steven > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users End of Pki-users Digest, Vol 76, Issue 1 **************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From abhaj at yahoo.com Wed Jul 2 18:27:39 2014 From: abhaj at yahoo.com (Abha Jain) Date: Wed, 2 Jul 2014 11:27:39 -0700 Subject: [Pki-users] Queries on Doghat support Message-ID: <1404325659.66499.YahooMailNeo@web121906.mail.ne1.yahoo.com> Hi All, We are looking at using Doghat CA server with Cisco routers. I had a few questions on the support included in Doghat certificate system. I just started working on PKI, so please excuse if the questions are quite basic. 1. The Doghat system is built on top of NSS (Network Security Services). Does it have any issues working with Cisco routers as clients using SCEP? Would there be any OpenSSL and NSS interactions in this case? 2. Does Doghat support?CA Certificate rollover? When CA certificate is about to expire, CA creates a shadow certificate. All the endpoints associated with that CA can then renew their ID certificates (this requires support for SCEP Messages such as?GetNextCACert, GetCACaps). Thanks in advance for your help! -Abha -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Thu Jul 3 02:17:21 2014 From: cfu at redhat.com (Christina Fu) Date: Wed, 02 Jul 2014 19:17:21 -0700 Subject: [Pki-users] Queries on Doghat support In-Reply-To: <1404325659.66499.YahooMailNeo@web121906.mail.ne1.yahoo.com> References: <1404325659.66499.YahooMailNeo@web121906.mail.ne1.yahoo.com> Message-ID: <53B4BD31.10203@redhat.com> I have not played with it, at least not for a long long time, but you can try out the documentation pointed to from some past thread... see attached. Regarding SCEP messages, we do not support fully, so the answer is no, not yet. Christina On 07/02/2014 11:27 AM, Abha Jain wrote: > Hi All, > > We are looking at using Doghat CA server with Cisco routers. I had a > few questions on the support included in Doghat certificate system. > > I just started working on PKI, so please excuse if the questions are > quite basic. > > 1. The Doghat system is built on top of NSS (Network Security > Services). Does it have any issues working with Cisco routers as > clients using SCEP? Would there be any OpenSSL and NSS interactions in > this case? > > 2. Does Doghat support CA Certificate rollover? When CA certificate is > about to expire, CA creates a shadow certificate. All the endpoints > associated with that CA can then renew their ID certificates (this > requires support for SCEP Messages such as GetNextCACert, GetCACaps). > > Thanks in advance for your help! > -Abha > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded message was scrubbed... From: Andrew Wnuk Subject: Re: [Pki-users] Using SCEP Date: Tue, 20 Aug 2013 10:14:40 -0700 Size: 4894 URL: From abhaj at yahoo.com Thu Jul 3 05:05:05 2014 From: abhaj at yahoo.com (Abha Jain) Date: Wed, 2 Jul 2014 22:05:05 -0700 Subject: [Pki-users] Queries on Doghat support In-Reply-To: <53B4BD31.10203@redhat.com> References: <1404325659.66499.YahooMailNeo@web121906.mail.ne1.yahoo.com> <53B4BD31.10203@redhat.com> Message-ID: <1404363905.25819.YahooMailNeo@web121904.mail.ne1.yahoo.com> Hi Christina, Thanks for the reply. I will go through the attached email. I had another question - I see that Doghat is supported on Fedora and RHEL. Is it possible to run Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to make Doghat work on Ubuntu? Thanks, Abha On Wednesday, July 2, 2014 7:17 PM, Christina Fu wrote: I have not played with it, at least not for a long long time, but you can try out the documentation pointed to from some past thread... see attached. Regarding SCEP messages, we do not support fully, so the answer is no, not yet. Christina On 07/02/2014 11:27 AM, Abha Jain wrote: Hi All, > > >We are looking at using Doghat CA server with Cisco routers. I had a few questions on the support included in Doghat certificate system. > > >I just started working on PKI, so please excuse if the questions are quite basic. > > >1. The Doghat system is built on top of NSS (Network Security Services). Does it have any issues working with Cisco routers as clients using SCEP? Would there be any OpenSSL and NSS interactions in this case? > > >2. Does Doghat support?CA Certificate rollover? When CA certificate is about to expire, CA creates a shadow certificate. All the endpoints associated with that CA can then renew their ID certificates (this requires support for SCEP Messages such as?GetNextCACert, GetCACaps). > > >Thanks in advance for your help! >-Abha >? > > > > >_______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users SCEP is disabled by default in CA, so you need to enable SCEP first: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries. I would advise you to use SCEP with CA only as more improvements were provided in this area. Thanks, Andrew On 08/20/2013 07:10 AM, Oleg Antonenko wrote: > Hi! > I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. > But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. > > >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. > As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. > Is that correct? > > I did not get an impression that I have to do same when sending SCEP requests directly to CA. > Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? > > Thanks in advance, > Oleg > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Thu Jul 3 17:26:13 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Thu, 3 Jul 2014 12:26:13 -0500 Subject: [Pki-users] Request Rejected Message-ID: <002701cf96e3$e3b31260$ab193720$@pgjtabasco.gob.mx> When I send a request of Certificate Profile - Manual User Dual-Use Certificate Enrollment On subject name If "UID" value is empty I get this error: Certificate Profile Sorry, your request has been rejected. The reason is "Request Rejected - {0}" Your request ID is 7. -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Jul 3 17:45:19 2014 From: msauton at redhat.com (Marc Sauton) Date: Thu, 03 Jul 2014 10:45:19 -0700 Subject: [Pki-users] Request Rejected In-Reply-To: <002701cf96e3$e3b31260$ab193720$@pgjtabasco.gob.mx> References: <002701cf96e3$e3b31260$ab193720$@pgjtabasco.gob.mx> Message-ID: <53B596AF.70607@redhat.com> The subject name constraint defined in the profile used to enroll may require a UID value, it may need to be customized. The CA debug log should have some details. M. On 07/03/2014 10:26 AM, Ricardo Alexander Perez Ricardez wrote: > > *When I send a request of**Certificate Profile - Manual User Dual-Use > Certificate Enrollment * > > ** > > On subject name > > If "UID" value is empty > > *I get this error:* > > Certificate Profile > > Sorry, your request has been rejected. The reason is "Request Rejected > - {0}" > > Your request ID is *7*. > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From abhaj at yahoo.com Thu Jul 3 20:31:40 2014 From: abhaj at yahoo.com (Abha Jain) Date: Thu, 3 Jul 2014 13:31:40 -0700 Subject: [Pki-users] Doghat on Ubuntu Message-ID: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> Hi All, I see that Doghat is supported on Fedora and RHEL. Is it possible to run Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to make Doghat work on Ubuntu? Thanks for your help! Abha -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Thu Jul 3 20:42:49 2014 From: jdennis at redhat.com (John Dennis) Date: Thu, 03 Jul 2014 16:42:49 -0400 Subject: [Pki-users] Doghat on Ubuntu In-Reply-To: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> References: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> Message-ID: <53B5C049.505@redhat.com> On 07/03/2014 04:31 PM, Abha Jain wrote: > Hi All, > > I see that Doghat is supported on Fedora and RHEL. Is it possible to > run Doghat on Ubuntu host? Has anyone tried it and any thoughts on how > to make Doghat work on Ubuntu? > Thank you for your interest in the Dogtag project. The project name is Dogtag, as in identification tags worn by military personnel, not something a canine wears on it's head :-) I'll let someone else more knowledgeable about the Debian porting effort reply to your specific question. -- John -------------- next part -------------- An HTML attachment was scrubbed... URL: From abhaj at yahoo.com Thu Jul 3 21:10:31 2014 From: abhaj at yahoo.com (Abha Jain) Date: Thu, 3 Jul 2014 14:10:31 -0700 Subject: [Pki-users] Doghat on Ubuntu In-Reply-To: <53B5C049.505@redhat.com> References: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> <53B5C049.505@redhat.com> Message-ID: <1404421831.65008.YahooMailNeo@web121902.mail.ne1.yahoo.com> LOL! Oops... Yes it's Dogtag :) Sorry about that. -Abha On Thursday, July 3, 2014 1:42 PM, John Dennis wrote: On 07/03/2014 04:31 PM, Abha Jain wrote: Hi All, > > >I see that Doghat is supported on Fedora and RHEL. Is it possible to run Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to make Doghat work on Ubuntu? > > Thank you for your interest in the Dogtag project. The project name is Dogtag, as in identification tags worn by military personnel, not something a canine wears on it's head :-) I'll let someone else more knowledgeable about the Debian porting effort reply to your specific question. -- John -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjaalton at ubuntu.com Fri Jul 4 06:19:39 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 04 Jul 2014 09:19:39 +0300 Subject: [Pki-users] Doghat on Ubuntu In-Reply-To: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> References: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> Message-ID: <53B6477B.3030809@ubuntu.com> On 03.07.2014 23:31, Abha Jain wrote: > Hi All, > > I see that Doghat is supported on Fedora and RHEL. Is it possible to run > Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to > make Doghat work on Ubuntu? > > Thanks for your help! Hi, It's still work-in-progress, partly due to the recent switch of packaging over to 10.2~ which brought new unpackaged dependencies which need to be dealt with. I'm currently blocked on jackson-module-jaxb-annotations not building right, process-sources phase is not run for some reason.. The ultimate goal is to get a working Freeipa server in the next Debian release, which will freeze in November. -- t From tjaalton at ubuntu.com Fri Jul 4 06:22:34 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 04 Jul 2014 09:22:34 +0300 Subject: [Pki-users] Doghat on Ubuntu In-Reply-To: <53B6477B.3030809@ubuntu.com> References: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> <53B6477B.3030809@ubuntu.com> Message-ID: <53B6482A.1000908@ubuntu.com> On 04.07.2014 09:19, Timo Aaltonen wrote: > On 03.07.2014 23:31, Abha Jain wrote: >> Hi All, >> >> I see that Doghat is supported on Fedora and RHEL. Is it possible to run >> Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to >> make Doghat work on Ubuntu? >> >> Thanks for your help! > > Hi, > > It's still work-in-progress, partly due to the recent switch of > packaging over to 10.2~ which brought new unpackaged dependencies which > need to be dealt with. I'm currently blocked on > jackson-module-jaxb-annotations not building right, process-sources > phase is not run for some reason.. > > The ultimate goal is to get a working Freeipa server in the next Debian > release, which will freeze in November. Still too early in the morning to actually read the subject.. so this will eventually be brought to Ubuntu too. and actually, you should be able to run 10.1 now (pki-ca at least, don't think the other subsystems work): https://launchpad.net/~freeipa/+archive/ppa but don't expect to get any support for it :) -- t From alee at redhat.com Mon Jul 7 11:18:55 2014 From: alee at redhat.com (Ade Lee) Date: Mon, 07 Jul 2014 19:18:55 +0800 Subject: [Pki-users] Doghat on Ubuntu In-Reply-To: <53B6482A.1000908@ubuntu.com> References: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> <53B6477B.3030809@ubuntu.com> <53B6482A.1000908@ubuntu.com> Message-ID: <1404731935.21539.2.camel@localhost.localdomain> On Fri, 2014-07-04 at 09:22 +0300, Timo Aaltonen wrote: > On 04.07.2014 09:19, Timo Aaltonen wrote: > > On 03.07.2014 23:31, Abha Jain wrote: > >> Hi All, > >> > >> I see that Doghat is supported on Fedora and RHEL. Is it possible to run > >> Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to > >> make Doghat work on Ubuntu? > >> > >> Thanks for your help! > > > > Hi, > > > > It's still work-in-progress, partly due to the recent switch of > > packaging over to 10.2~ which brought new unpackaged dependencies which > > need to be dealt with. I'm currently blocked on > > jackson-module-jaxb-annotations not building right, process-sources > > phase is not run for some reason.. > > > > The ultimate goal is to get a working Freeipa server in the next Debian > > release, which will freeze in November. > > Still too early in the morning to actually read the subject.. so this > will eventually be brought to Ubuntu too. > > and actually, you should be able to run 10.1 now (pki-ca at least, don't > think the other subsystems work): > > https://launchpad.net/~freeipa/+archive/ppa > > but don't expect to get any support for it :) > The Ubuntu build has undergone some very basic testing (ie. install a CA and issue a cert) If you try it out and something does not work, though, please let us know - ie. file a BZ, send a note to this list or ping us on IRC. We definitely want to have it working on Debian/Ubuntu. Ade From tjaalton at ubuntu.com Mon Jul 7 11:25:00 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 07 Jul 2014 14:25:00 +0300 Subject: [Pki-users] Doghat on Ubuntu In-Reply-To: <1404731935.21539.2.camel@localhost.localdomain> References: <1404419500.85281.YahooMailNeo@web121906.mail.ne1.yahoo.com> <53B6477B.3030809@ubuntu.com> <53B6482A.1000908@ubuntu.com> <1404731935.21539.2.camel@localhost.localdomain> Message-ID: <53BA838C.8050203@ubuntu.com> On 07.07.2014 14:18, Ade Lee wrote: > On Fri, 2014-07-04 at 09:22 +0300, Timo Aaltonen wrote: >> On 04.07.2014 09:19, Timo Aaltonen wrote: >>> On 03.07.2014 23:31, Abha Jain wrote: >>>> Hi All, >>>> >>>> I see that Doghat is supported on Fedora and RHEL. Is it possible to run >>>> Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to >>>> make Doghat work on Ubuntu? >>>> >>>> Thanks for your help! >>> >>> Hi, >>> >>> It's still work-in-progress, partly due to the recent switch of >>> packaging over to 10.2~ which brought new unpackaged dependencies which >>> need to be dealt with. I'm currently blocked on >>> jackson-module-jaxb-annotations not building right, process-sources >>> phase is not run for some reason.. >>> >>> The ultimate goal is to get a working Freeipa server in the next Debian >>> release, which will freeze in November. >> >> Still too early in the morning to actually read the subject.. so this >> will eventually be brought to Ubuntu too. >> >> and actually, you should be able to run 10.1 now (pki-ca at least, don't >> think the other subsystems work): >> >> https://launchpad.net/~freeipa/+archive/ppa >> >> but don't expect to get any support for it :) >> > > The Ubuntu build has undergone some very basic testing (ie. install a CA > and issue a cert) If you try it out and something does not work, > though, please let us know - ie. file a BZ, send a note to this list or > ping us on IRC. We definitely want to have it working on Debian/Ubuntu. Indeed, there are likely still some packaging issues not found or fixed yet for the 10.2 based package on git.debian.org.. by no support I meant that the fixes will end up in the new package, and won't be on the ppa anytime soon. -- t From rperez at pgjtabasco.gob.mx Fri Jul 18 16:59:49 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Fri, 18 Jul 2014 11:59:49 -0500 Subject: [Pki-users] DogTag not show images Message-ID: <002c01cfa2a9$af89f360$0e9dda20$@pgjtabasco.gob.mx> On the client side --> Windows 7 When I browse to dogtag certificate server url from Internet Explorer I can't see images -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dogtagnoimages.png Type: image/png Size: 15793 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dogtagnoimages2.png Type: image/png Size: 47365 bytes Desc: not available URL: From d.rye at roadtech.co.uk Wed Jul 30 16:29:47 2014 From: d.rye at roadtech.co.uk (J. David Rye of Roadtech) Date: Wed, 30 Jul 2014 17:29:47 +0100 Subject: [Pki-users] How to populate manual aproval form for server certificate with subjectAltName of type DNSName from request. Message-ID: <201407301729.47877.d.rye@roadtech.co.uk> I can not believe that I am in a unique position. I needed a PKI setup for a development environment that develops Highly Available services. Production environment uses commercial certificates, with multiple DNSName type SubjectAltName fields. On first sight and test DogTag looked like it would do everything I want. so I have a box with Fedora 20 and Dogtag installed. Installed Packages dogtag-pki.noarch 10.1.1-1.fc20 dogtag-pki-console-theme.noarch 10.1.1-1.fc20 dogtag-pki-server-theme.noarch 10.1.1-1.fc20 pki-base.noarch 10.1.1-1.fc20 pki-ca.noarch 10.1.1-1.fc20 pki-console.noarch 10.1.1-1.fc20 pki-javadoc.noarch 10.1.1-1.fc20 pki-kra.noarch 10.1.1-1.fc20 pki-ocsp.noarch 10.1.1-1.fc20 pki-ra.noarch 10.1.1-1.fc20 pki-server.noarch 10.1.1-1.fc20 pki-symkey.x86_64 10.1.1-1.fc20 pki-tks.noarch 10.1.1-1.fc20 pki-tools.x86_64 10.1.1-1.fc20 pki-tps.x86_64 10.1.1-1.fc20 I also have a deployment script that generates a certificate request with the required alternate DNS names. In the current case 7 servers with 4 alternate names each. I then discovered that while it gives no errors or warnings the policy /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg silently ignores subjectaltName from the request. Following various sets of notes found on line, I have a hacked version caServerCertAlt.cfg along with chnages to /etc/pki/pki-tomcat/ca/registry.cfg and /etc/pki/pki-tomcat/ca/CS.cfg this provides a box to enter the alternate names while approving the certificate request. To that extent it works, however it does not initialise the form with the values from the request. Insted they get initialised to "DNSName: $request.SAN1$" Most of the on line notes seam to be linking back to Example B1 in the Red_Hat_Certificate_System 8.0 Admin Guide https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default Searching this list returned a message from August 2012 https://www.redhat.com/archives/pki-users/2012-August/msg00006.html Which suggests that the manual is wrong, or at leased wrong for DogTag. Can anyone help with a working example, or point me to a page with the correct information.