[Pki-users] SAN Feild in the MSCE profile

John Magne jmagne at redhat.com
Sat Nov 7 01:41:19 UTC 2015


If you could possibly give us the "debug" log, the failure could possibly be isolated more easily.

----- Original Message -----
From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
To: "John Magne" <jmagne at redhat.com>
Cc: pki-users at redhat.com
Sent: Friday, November 6, 2015 5:29:40 PM
Subject: Re: SAN Feild in the MSCE profile

Still not working:

This is what I put on the new profile

policyset.serverCertSet.9.constraint.class_id=noConstraintImpl

policyset.serverCertSet.9.constraint.name=No Constraint

policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl

policyset.serverCertSet.9.default.name=Subject Alternative Name Extension
Default

policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true

policyset.serverCertSet.9.default.params.subjAltExtPattern_0=

policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName

policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false

policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1


The CSR looks like this:

*Common Name:* node1.example.com

*Subject Alternative Names:* test.example.com, test1.example.com,
test2.example.com

*Organization:* Test Corp

*Organization Unit:* IT Department

*Locality:* LA

*State:* OR

*Country:* US

On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
wrote:

> Thx, I will give that a try.
>
>
> On Thursday, November 5, 2015, John Magne <jmagne at redhat.com> wrote:
>
>> You should be able to do this:
>>
>> First for info on profiles and how to make new ones start here:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles
>>
>>
>>
>> If you look in this directory:
>>
>> /var/lib/pki/pki-tomcat/ca/profiles/ca
>>
>> This is where the raw profile files are. Looking through these should
>> provide an example of somebody using the subject alt name extension.
>> Whatever happening there can be created in a new profile.
>>
>>
>> ----- Original Message -----
>> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
>> To: pki-users at redhat.com
>> Sent: Thursday, November 5, 2015 12:52:38 PM
>> Subject: [Pki-users] SAN Feild in the MSCE profile
>>
>> Hi Pki-Users,
>>
>> I am trying to create a cert using a CSR that has more then one CN using
>> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that
>> it does not support a SAN Feild by default. Can I create a custom profile
>> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is
>> the process for doing that?
>>
>> Thanks,
>>
>> Rafael
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>




More information about the Pki-users mailing list