[Pki-users] SAN Feild in the MSCE profile
Fraser Tweedale
ftweedal at redhat.com
Sun Nov 8 22:48:08 UTC 2015
On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote:
> Still not working:
>
> This is what I put on the new profile
>
> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
>
> policyset.serverCertSet.9.constraint.name=No Constraint
>
> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
>
> policyset.serverCertSet.9.default.name=Subject Alternative Name Extension
> Default
>
> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>
> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
>
> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
>
> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
>
> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>
>
> The CSR looks like this:
>
> *Common Name:* node1.example.com
>
> *Subject Alternative Names:* test.example.com, test1.example.com,
> test2.example.com
>
> *Organization:* Test Corp
>
> *Organization Unit:* IT Department
>
> *Locality:* LA
>
> *State:* OR
>
> *Country:* US
>
The SubjectAltNameExtDefault profile policy class does not copy
altNames from the CSR. Rather, it takes the subjAltExPattern_N's
specified (yours is empty, which is a problem) and formats them.
You can reference various aspects of the request in the pattern.
See the documentation for more info:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
If you want to directly copy an extension value directly from the
CSR into the certificate (e.g. so the SAN request extension is used
in the certificate) you can do that too. This approach demands
caution because there is no validation of the extension value. See
the caIPAserviceCert profile for an example of how to do this for
SAN.
Cheers,
Fraser
> On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
> wrote:
>
> > Thx, I will give that a try.
> >
> >
> > On Thursday, November 5, 2015, John Magne <jmagne at redhat.com> wrote:
> >
> >> You should be able to do this:
> >>
> >> First for info on profiles and how to make new ones start here:
> >>
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles
> >>
> >>
> >>
> >> If you look in this directory:
> >>
> >> /var/lib/pki/pki-tomcat/ca/profiles/ca
> >>
> >> This is where the raw profile files are. Looking through these should
> >> provide an example of somebody using the subject alt name extension.
> >> Whatever happening there can be created in a new profile.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
> >> To: pki-users at redhat.com
> >> Sent: Thursday, November 5, 2015 12:52:38 PM
> >> Subject: [Pki-users] SAN Feild in the MSCE profile
> >>
> >> Hi Pki-Users,
> >>
> >> I am trying to create a cert using a CSR that has more then one CN using
> >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that
> >> it does not support a SAN Feild by default. Can I create a custom profile
> >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is
> >> the process for doing that?
> >>
> >> Thanks,
> >>
> >> Rafael
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >>
> >
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list