[Pki-users] SAN Feild in the MSCE profile

Rafael Leiva-Ochoa spawn at rloteck.net
Mon Nov 9 04:40:09 UTC 2015


Thanks for the reply Fraser, I was wondering why the CSR SAN field was
being ignored on the SubjectAltNameExtDefault profile policy class.
However, I am a bit confused, you said:  "Rather, it takes the
subjAltExPattern_N's specified (yours is empty, which is a problem) and
formats them." How do I make it "not" empty". Is this something I do when I
approve the request on the DogTag CA web interface? How do I specify this?
I need the SAN to be verified when the web client (browser) checks the CN,
or the SAN.

Thanks again for you help....: )

Rafael

On Sun, Nov 8, 2015 at 2:48 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:

> On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote:
> > Still not working:
> >
> > This is what I put on the new profile
> >
> > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
> >
> > policyset.serverCertSet.9.constraint.name=No Constraint
> >
> > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
> >
> > policyset.serverCertSet.9.default.name=Subject Alternative Name
> Extension
> > Default
> >
> > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
> >
> > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
> >
> > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
> >
> > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
> >
> > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
> >
> >
> > The CSR looks like this:
> >
> > *Common Name:* node1.example.com
> >
> > *Subject Alternative Names:* test.example.com, test1.example.com,
> > test2.example.com
> >
> > *Organization:* Test Corp
> >
> > *Organization Unit:* IT Department
> >
> > *Locality:* LA
> >
> > *State:* OR
> >
> > *Country:* US
> >
>
> The SubjectAltNameExtDefault profile policy class does not copy
> altNames from the CSR.  Rather, it takes the subjAltExPattern_N's
> specified (yours is empty, which is a problem) and formats them.
> You can reference various aspects of the request in the pattern.
> See the documentation for more info:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
>
> If you want to directly copy an extension value directly from the
> CSR into the certificate (e.g. so the SAN request extension is used
> in the certificate) you can do that too.  This approach demands
> caution because there is no validation of the extension value.  See
> the caIPAserviceCert profile for an example of how to do this for
> SAN.
>
> Cheers,
> Fraser
>
> > On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
> > wrote:
> >
> > > Thx, I will give that a try.
> > >
> > >
> > > On Thursday, November 5, 2015, John Magne <jmagne at redhat.com> wrote:
> > >
> > >> You should be able to do this:
> > >>
> > >> First for info on profiles and how to make new ones start here:
> > >>
> > >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles
> > >>
> > >>
> > >>
> > >> If you look in this directory:
> > >>
> > >> /var/lib/pki/pki-tomcat/ca/profiles/ca
> > >>
> > >> This is where the raw profile files are. Looking through these should
> > >> provide an example of somebody using the subject alt name extension.
> > >> Whatever happening there can be created in a new profile.
> > >>
> > >>
> > >> ----- Original Message -----
> > >> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
> > >> To: pki-users at redhat.com
> > >> Sent: Thursday, November 5, 2015 12:52:38 PM
> > >> Subject: [Pki-users] SAN Feild in the MSCE profile
> > >>
> > >> Hi Pki-Users,
> > >>
> > >> I am trying to create a cert using a CSR that has more then one CN
> using
> > >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
> that
> > >> it does not support a SAN Feild by default. Can I create a custom
> profile
> > >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what
> is
> > >> the process for doing that?
> > >>
> > >> Thanks,
> > >>
> > >> Rafael
> > >>
> > >> _______________________________________________
> > >> Pki-users mailing list
> > >> Pki-users at redhat.com
> > >> https://www.redhat.com/mailman/listinfo/pki-users
> > >>
> > >
>
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151108/fa1a1e34/attachment.htm>


More information about the Pki-users mailing list