[Pki-users] SAN Feild in the MSCE profile

John Magne jmagne at redhat.com
Mon Nov 9 20:07:23 UTC 2015


Hi:

I"m a bit swamped right now but look at this if not seen already:

https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html

This has more specific info on how to set up subjectName and subjectAltName. There is a link in that piece of document that points to the subjectAltName defaults specifically.

----- Original Message -----
From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
To: "John Magne" <jmagne at redhat.com>
Sent: Friday, November 6, 2015 11:01:02 PM
Subject: Re: SAN Feild in the MSCE profile

Here you go.

On Fri, Nov 6, 2015 at 5:47 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
wrote:

> ok. I will run one tonight.
>
> Thanks
>
> On Fri, Nov 6, 2015 at 5:41 PM, John Magne <jmagne at redhat.com> wrote:
>
>> If you could possibly give us the "debug" log, the failure could possibly
>> be isolated more easily.
>>
>> ----- Original Message -----
>> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
>> To: "John Magne" <jmagne at redhat.com>
>> Cc: pki-users at redhat.com
>> Sent: Friday, November 6, 2015 5:29:40 PM
>> Subject: Re: SAN Feild in the MSCE profile
>>
>> Still not working:
>>
>> This is what I put on the new profile
>>
>> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
>>
>> policyset.serverCertSet.9.constraint.name=No Constraint
>>
>> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
>>
>> policyset.serverCertSet.9.default.name=Subject Alternative Name Extension
>> Default
>>
>> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>>
>> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
>>
>> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
>>
>> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
>>
>> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>>
>>
>> The CSR looks like this:
>>
>> *Common Name:* node1.example.com
>>
>> *Subject Alternative Names:* test.example.com, test1.example.com,
>> test2.example.com
>>
>> *Organization:* Test Corp
>>
>> *Organization Unit:* IT Department
>>
>> *Locality:* LA
>>
>> *State:* OR
>>
>> *Country:* US
>>
>> On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
>> wrote:
>>
>> > Thx, I will give that a try.
>> >
>> >
>> > On Thursday, November 5, 2015, John Magne <jmagne at redhat.com> wrote:
>> >
>> >> You should be able to do this:
>> >>
>> >> First for info on profiles and how to make new ones start here:
>> >>
>> >>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles
>> >>
>> >>
>> >>
>> >> If you look in this directory:
>> >>
>> >> /var/lib/pki/pki-tomcat/ca/profiles/ca
>> >>
>> >> This is where the raw profile files are. Looking through these should
>> >> provide an example of somebody using the subject alt name extension.
>> >> Whatever happening there can be created in a new profile.
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
>> >> To: pki-users at redhat.com
>> >> Sent: Thursday, November 5, 2015 12:52:38 PM
>> >> Subject: [Pki-users] SAN Feild in the MSCE profile
>> >>
>> >> Hi Pki-Users,
>> >>
>> >> I am trying to create a cert using a CSR that has more then one CN
>> using
>> >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
>> that
>> >> it does not support a SAN Feild by default. Can I create a custom
>> profile
>> >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what
>> is
>> >> the process for doing that?
>> >>
>> >> Thanks,
>> >>
>> >> Rafael
>> >>
>> >> _______________________________________________
>> >> Pki-users mailing list
>> >> Pki-users at redhat.com
>> >> https://www.redhat.com/mailman/listinfo/pki-users
>> >>
>> >
>>
>
>




More information about the Pki-users mailing list