[Pki-users] How to populate manual aproval form for server certificate with subjectAltName of type DNSName from request.

J. David Rye of Roadtech d.rye at roadtech.co.uk
Wed Jul 30 16:29:47 UTC 2014 

I can not believe that I am in a unique position.

I needed a PKI setup for a development environment that develops Highly 
Available services. Production environment uses commercial certificates, with 
multiple DNSName type SubjectAltName fields.

On first sight and test DogTag looked like it would do everything I want.
so I have a box with Fedora 20 and Dogtag installed.

Installed Packages
dogtag-pki.noarch 10.1.1-1.fc20 
dogtag-pki-console-theme.noarch 10.1.1-1.fc20
dogtag-pki-server-theme.noarch 10.1.1-1.fc20
pki-base.noarch 10.1.1-1.fc20                                                                
pki-ca.noarch 10.1.1-1.fc20
pki-console.noarch 10.1.1-1.fc20
pki-javadoc.noarch 10.1.1-1.fc20
pki-kra.noarch 10.1.1-1.fc20 
pki-ocsp.noarch 10.1.1-1.fc20 
pki-ra.noarch 10.1.1-1.fc20  
pki-server.noarch 10.1.1-1.fc20
pki-symkey.x86_64 10.1.1-1.fc20 
pki-tks.noarch 10.1.1-1.fc20 
pki-tools.x86_64 10.1.1-1.fc20 
pki-tps.x86_64 10.1.1-1.fc20 

I also have a deployment script that generates a certificate request with the 
required alternate DNS names. In the current case 7 servers with 4 alternate 
names each.

I then discovered that while it gives no errors or warnings the 
policy /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg silently 
ignores subjectaltName from the request.

Following various sets of notes found on line, I have a hacked version 
caServerCertAlt.cfg along with chnages to /etc/pki/pki-tomcat/ca/registry.cfg 
and /etc/pki/pki-tomcat/ca/CS.cfg this provides a box to enter the alternate 
names while approving the certificate request. To that extent it works, 
however it does not initialise the form with the values from the request. 
Insted they get initialised to "DNSName: $request.SAN1$"

Most of the on line notes seam to be linking back to Example B1 in the 
Red_Hat_Certificate_System 8.0 Admin Guide
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default

Searching this list returned a message from August 2012
https://www.redhat.com/archives/pki-users/2012-August/msg00006.html
Which suggests that the manual is wrong, or at leased wrong for DogTag.

Can anyone help with a working example, or point me to a page with the correct 
information.

More information about the Pki-users mailing list