[Pki-users] SAN Feild in the MSCE profile
Fraser Tweedale
ftweedal at redhat.com
Wed Nov 11 07:07:17 UTC 2015
On Sun, Nov 08, 2015 at 08:40:09PM -0800, Rafael Leiva-Ochoa wrote:
> Thanks for the reply Fraser, I was wondering why the CSR SAN field was
> being ignored on the SubjectAltNameExtDefault profile policy class.
> However, I am a bit confused, you said: "Rather, it takes the
> subjAltExPattern_N's specified (yours is empty, which is a problem) and
> formats them." How do I make it "not" empty". Is this something I do when I
> approve the request on the DogTag CA web interface? How do I specify this?
> I need the SAN to be verified when the web client (browser) checks the CN,
> or the SAN.
>
The patterns are defined, "hard-coded", as part of the profile
configuration. Therefore the number of SANs for any given profile
is fixed (if you are using the SubjectAltNameExtDefault class).
Each pattern gets formatted using information available in the
request. See the documentation linked below for a table of the
variables you can include in these patterns.
I cannot see a way to propagate arbitrary domain names, other than
the CN (which is available as the $request.req_subject_name.cn$
variable), into SAN names, via SubjectAltNameExtDefault.
> Thanks again for you help....: )
>
> Rafael
>
> On Sun, Nov 8, 2015 at 2:48 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:
>
> > On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote:
> > > Still not working:
> > >
> > > This is what I put on the new profile
> > >
> > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
> > >
> > > policyset.serverCertSet.9.constraint.name=No Constraint
> > >
> > > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
> > >
> > > policyset.serverCertSet.9.default.name=Subject Alternative Name
> > Extension
> > > Default
> > >
> > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
> > >
> > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
> > >
> > > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
> > >
> > > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
> > >
> > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
> > >
> > >
> > > The CSR looks like this:
> > >
> > > *Common Name:* node1.example.com
> > >
> > > *Subject Alternative Names:* test.example.com, test1.example.com,
> > > test2.example.com
> > >
> > > *Organization:* Test Corp
> > >
> > > *Organization Unit:* IT Department
> > >
> > > *Locality:* LA
> > >
> > > *State:* OR
> > >
> > > *Country:* US
> > >
> >
> > The SubjectAltNameExtDefault profile policy class does not copy
> > altNames from the CSR. Rather, it takes the subjAltExPattern_N's
> > specified (yours is empty, which is a problem) and formats them.
> > You can reference various aspects of the request in the pattern.
> > See the documentation for more info:
> >
> > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
> >
> > If you want to directly copy an extension value directly from the
> > CSR into the certificate (e.g. so the SAN request extension is used
> > in the certificate) you can do that too. This approach demands
> > caution because there is no validation of the extension value. See
> > the caIPAserviceCert profile for an example of how to do this for
> > SAN.
> >
> > Cheers,
> > Fraser
> >
> > > On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
> > > wrote:
> > >
> > > > Thx, I will give that a try.
> > > >
> > > >
> > > > On Thursday, November 5, 2015, John Magne <jmagne at redhat.com> wrote:
> > > >
> > > >> You should be able to do this:
> > > >>
> > > >> First for info on profiles and how to make new ones start here:
> > > >>
> > > >>
> > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles
> > > >>
> > > >>
> > > >>
> > > >> If you look in this directory:
> > > >>
> > > >> /var/lib/pki/pki-tomcat/ca/profiles/ca
> > > >>
> > > >> This is where the raw profile files are. Looking through these should
> > > >> provide an example of somebody using the subject alt name extension.
> > > >> Whatever happening there can be created in a new profile.
> > > >>
> > > >>
> > > >> ----- Original Message -----
> > > >> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
> > > >> To: pki-users at redhat.com
> > > >> Sent: Thursday, November 5, 2015 12:52:38 PM
> > > >> Subject: [Pki-users] SAN Feild in the MSCE profile
> > > >>
> > > >> Hi Pki-Users,
> > > >>
> > > >> I am trying to create a cert using a CSR that has more then one CN
> > using
> > > >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
> > that
> > > >> it does not support a SAN Feild by default. Can I create a custom
> > profile
> > > >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what
> > is
> > > >> the process for doing that?
> > > >>
> > > >> Thanks,
> > > >>
> > > >> Rafael
> > > >>
> > > >> _______________________________________________
> > > >> Pki-users mailing list
> > > >> Pki-users at redhat.com
> > > >> https://www.redhat.com/mailman/listinfo/pki-users
> > > >>
> > > >
> >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
More information about the Pki-users
mailing list