From spawn at rloteck.net Wed Dec 7 22:11:53 2016 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Wed, 7 Dec 2016 14:11:53 -0800 Subject: [Pki-users] CS Server error Message-ID: Hi Team, I have installed Dogtag on one of my Raspberry PI 3 devices for testing. At first it was working great. Then, I noticed that it took a very long time for the DogTag Start Page to startup when I rebooted my Pi. In some cases, it took 10min's, but I attributed this to the fact that it was running on a ARM processor, and it takes a while to start up. Now, for some reason, I am getting this error: HTTP Status 500 - CS server is not ready to serve. *type* Exception report *message* *CS server is not ready to serve.* *description* *The server encountered an internal error that prevented it from fulfilling this request.* *exception* java.io.IOException: CS server is not ready to serve. com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:445) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) java.security.AccessController.doPrivileged(Native Method) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:264) *note* *The full stack trace of the root cause is available in the Apache Tomcat/8.0.38 logs.* ------------------------------ Apache Tomcat/8.0.38 I have tried rebooting the PI many times, and looking at the logs, but no luck. Any ideas? Thanks, Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Dec 8 00:25:06 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 8 Dec 2016 10:25:06 +1000 Subject: [Pki-users] CS Server error In-Reply-To: References: Message-ID: <20161208002506.GR28337@dhcp-40-8.bne.redhat.com> On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote: > Hi Team, > > I have installed Dogtag on one of my Raspberry PI 3 devices for > testing. At first it was working great. Then, I noticed that it took a very > long time for the DogTag Start Page to startup when I rebooted my Pi. In > some cases, it took 10min's, but I attributed this to the fact that it was > running on a ARM processor, and it takes a while to start up. Now, for some > reason, I am getting this error: > > HTTP Status 500 - CS server is not ready to serve. > > *type* Exception report > > *message* *CS server is not ready to serve.* > > *description* *The server encountered an internal error that prevented it > from fulfilling this request.* > > *exception* > > java.io.IOException: CS server is not ready to serve. > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:445) > javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) > java.security.AccessController.doPrivileged(Native Method) > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:264) > > *note* *The full stack trace of the root cause is available in the Apache > Tomcat/8.0.38 logs.* > ------------------------------ > Apache Tomcat/8.0.38 > > I have tried rebooting the PI many times, and looking at the logs, but no > luck. Any ideas? > > Thanks, > > Rafael Thank you for testing Dogtag an ARM / RPi :) Could you please provide the /var/log/pki/pki-tomcat/ca/debug log file? Probably best to upload the file somewhere and point us to it, or send it to me off-list; it can be quite large. I will take a look at it and try and work out what's causing the failure. Thanks, Fraser From joris.dedieu at gmail.com Thu Dec 8 10:56:06 2016 From: joris.dedieu at gmail.com (joris dedieu) Date: Thu, 8 Dec 2016 11:56:06 +0100 Subject: [Pki-users] How to add a custom extension to a profile Message-ID: Hi list, I'm currently trying to add some extensions (For puppet trusted factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html) to my certificates. As far as I understand, I have to create / modify a profile to do so. From the CSR, I can see the request extension Requested Extensions: 1.3.6.1.4.1.34380.1.1.13: ..my_puppet_role X509v3 Subject Alternative Name: So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 retrieve it's value in $request$ ? Is there something similar, somewhere that I can use as an example ? a doc to read ? Many thanks Joris From msauton at redhat.com Fri Dec 9 00:05:53 2016 From: msauton at redhat.com (Marc Sauton) Date: Thu, 8 Dec 2016 16:05:53 -0800 Subject: [Pki-users] How to add a custom extension to a profile In-Reply-To: References: Message-ID: you could try to mofidy a profile for SSL server certificat enrollment: cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg ...snip... policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp ...snip... policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl policyset.serverCertSet.pp.constraint.name=Extension Constraint policyset.serverCertSet.pp.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13 policyset.serverCertSet.pp.constraint.params.extCritical=false policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp.default.name=User Supplied Key Usage Extension policyset.serverCertSet.pp.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13 policyset.serverCertSet.pp.default.params.userExtCritical=false restart the CA and apply a CSR to the modified profile that has a user supplied extension for that OID, and a value, they should then appear in the X509v3 extensions of the issued certificate On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu wrote: > Hi list, > I'm currently trying to add some extensions (For puppet trusted > factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html) > to my certificates. As far as I understand, I have to create / modify > a profile to do so. From the CSR, I can see the request extension > > > Requested Extensions: > 1.3.6.1.4.1.34380.1.1.13: > ..my_puppet_role > X509v3 Subject Alternative Name: > > So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 > retrieve it's value in $request$ ? Is there something similar, > somewhere that I can use as an example ? a doc to read ? > > Many thanks > Joris > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From joris.dedieu at gmail.com Fri Dec 9 09:50:44 2016 From: joris.dedieu at gmail.com (joris dedieu) Date: Fri, 9 Dec 2016 10:50:44 +0100 Subject: [Pki-users] How to add a custom extension to a profile In-Reply-To: References: Message-ID: Hi Marc, 2016-12-09 1:05 GMT+01:00 Marc Sauton : > you could try to mofidy a profile for SSL server certificat enrollment: > > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > ...snip... > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp > ...snip... > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl > policyset.serverCertSet.pp.constraint.name=Extension Constraint > policyset.serverCertSet.pp.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13 > policyset.serverCertSet.pp.constraint.params.extCritical=false > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp.default.name=User Supplied Key Usage Extension > policyset.serverCertSet.pp.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13 > policyset.serverCertSet.pp.default.params.userExtCritical=false Excellent, it works like a charm ! I just changed extensionConstraintImpl to noConstraintImpl so that the extensions are not mandatory anymore. Here the complete puppet trusted facts sequence. Useful to use DogTag (FreeIPA in my case) as an external pki for Puppet. Many thanks Joris policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid) policyset.serverCertSet.pp1.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.1 policyset.serverCertSet.pp1.constraint.params.extCritical=false policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid) policyset.serverCertSet.pp1.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.1 policyset.serverCertSet.pp1.default.params.userExtCritical=false policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID (pp_instance_id) policyset.serverCertSet.pp2.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.2 policyset.serverCertSet.pp2.constraint.params.extCritical=false policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID (pp_instance_id) policyset.serverCertSet.pp2.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.2 policyset.serverCertSet.pp2.default.params.userExtCritical=false policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name (pp_image_name) policyset.serverCertSet.pp3.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.3 policyset.serverCertSet.pp3.constraint.params.extCritical=false policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp3.default.name=Puppet Node Image Name (pp_image_name) policyset.serverCertSet.pp3.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.3 policyset.serverCertSet.pp3.default.params.userExtCritical=false policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key (pp_preshared_key) policyset.serverCertSet.pp4.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.4 policyset.serverCertSet.pp4.constraint.params.extCritical=false policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key (pp_preshared_key) policyset.serverCertSet.pp4.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.4 policyset.serverCertSet.pp4.default.params.userExtCritical=false policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center Name (pp_cost_center) policyset.serverCertSet.pp5.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.5 policyset.serverCertSet.pp5.constraint.params.extCritical=false policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name (pp_cost_center) policyset.serverCertSet.pp5.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.5 policyset.serverCertSet.pp5.default.params.userExtCritical=false policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name (pp_product) policyset.serverCertSet.pp6.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.6 policyset.serverCertSet.pp6.constraint.params.extCritical=false policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp6.default.name=Puppet Node Product Name (pp_product) policyset.serverCertSet.pp6.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.6 policyset.serverCertSet.pp6.default.params.userExtCritical=false policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name (pp_project) policyset.serverCertSet.pp7.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.7 policyset.serverCertSet.pp7.constraint.params.extCritical=false policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp7.default.name=Puppet Node Project Name (pp_project) policyset.serverCertSet.pp7.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.7 policyset.serverCertSet.pp7.default.params.userExtCritical=false policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp8.constraint.name=Puppet Node Application Name (pp_application) policyset.serverCertSet.pp8.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.8 policyset.serverCertSet.pp8.constraint.params.extCritical=false policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp8.default.name=Puppet Node Application Name (pp_application) policyset.serverCertSet.pp8.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.8 policyset.serverCertSet.pp8.default.params.userExtCritical=false policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name (pp_service) policyset.serverCertSet.pp9.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.9 policyset.serverCertSet.pp9.constraint.params.extCritical=false policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp9.default.name=Puppet Node Service Name (pp_service) policyset.serverCertSet.pp9.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.9 policyset.serverCertSet.pp9.default.params.userExtCritical=false policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name (pp_employee) policyset.serverCertSet.pp10.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.10 policyset.serverCertSet.pp10.constraint.params.extCritical=false policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name (pp_employee) policyset.serverCertSet.pp10.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.10 policyset.serverCertSet.pp10.default.params.userExtCritical=false policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by Tag (pp_created_by) policyset.serverCertSet.pp11.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.11 policyset.serverCertSet.pp11.constraint.params.extCritical=false policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag (pp_created_by) policyset.serverCertSet.pp11.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.11 policyset.serverCertSet.pp11.default.params.userExtCritical=false policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment Name (pp_environment) policyset.serverCertSet.pp12.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.12 policyset.serverCertSet.pp12.constraint.params.extCritical=false policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name (pp_environment) policyset.serverCertSet.pp12.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.12 policyset.serverCertSet.pp12.default.params.userExtCritical=false policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name (pp_role) policyset.serverCertSet.pp13.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13 policyset.serverCertSet.pp13.constraint.params.extCritical=false policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role) policyset.serverCertSet.pp13.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13 policyset.serverCertSet.pp13.default.params.userExtCritical=false policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp14.constraint.name=Puppet Node Software Version (pp_software_version) policyset.serverCertSet.pp14.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.14 policyset.serverCertSet.pp14.constraint.params.extCritical=false policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp14.default.name=Puppet Node Software Version (pp_software_version) policyset.serverCertSet.pp14.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.14 policyset.serverCertSet.pp14.default.params.userExtCritical=false policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp15.constraint.name=Puppet Node Department Name (pp_department) policyset.serverCertSet.pp15.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.15 policyset.serverCertSet.pp15.constraint.params.extCritical=false policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp15.default.name=Puppet Node Department Name (pp_department) policyset.serverCertSet.pp15.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.15 policyset.serverCertSet.pp15.default.params.userExtCritical=false policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name (pp_cluster) policyset.serverCertSet.pp16.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.16 policyset.serverCertSet.pp16.constraint.params.extCritical=false policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name (pp_cluster) policyset.serverCertSet.pp16.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.16 policyset.serverCertSet.pp16.default.params.userExtCritical=false policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner Name (pp_provisioner) policyset.serverCertSet.pp17.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.17 policyset.serverCertSet.pp17.constraint.params.extCritical=false policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name (pp_provisioner) policyset.serverCertSet.pp17.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.17 policyset.serverCertSet.pp17.default.params.userExtCritical=false policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name (pp_region) policyset.serverCertSet.pp18.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.18 policyset.serverCertSet.pp18.constraint.params.extCritical=false policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp18.default.name=Puppet Node Region Name (pp_region) policyset.serverCertSet.pp18.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.18 policyset.serverCertSet.pp18.default.params.userExtCritical=false policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter Name (pp_datacenter) policyset.serverCertSet.pp19.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.19 policyset.serverCertSet.pp19.constraint.params.extCritical=false policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name (pp_datacenter) policyset.serverCertSet.pp19.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.19 policyset.serverCertSet.pp19.default.params.userExtCritical=false policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name (pp_zone) policyset.serverCertSet.pp20.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.20 policyset.serverCertSet.pp20.constraint.params.extCritical=false policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone) policyset.serverCertSet.pp20.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.20 policyset.serverCertSet.pp20.default.params.userExtCritical=false policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name (pp_network) policyset.serverCertSet.pp21.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.21 policyset.serverCertSet.pp21.constraint.params.extCritical=false policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp21.default.name=Puppet Node Network Name (pp_network) policyset.serverCertSet.pp21.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.21 policyset.serverCertSet.pp21.default.params.userExtCritical=false policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp22.constraint.name=Puppet Node Security Policy Name (pp_securitypolicy) policyset.serverCertSet.pp22.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.22 policyset.serverCertSet.pp22.constraint.params.extCritical=false policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy Name (pp_securitypolicy) policyset.serverCertSet.pp22.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.22 policyset.serverCertSet.pp22.default.params.userExtCritical=false policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud Platform Name (pp_cloudplatform) policyset.serverCertSet.pp23.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.23 policyset.serverCertSet.pp23.constraint.params.extCritical=false policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform Name (pp_cloudplatform) policyset.serverCertSet.pp23.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.23 policyset.serverCertSet.pp23.default.params.userExtCritical=false policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp24.constraint.name=Puppet Node Application Tier (pp_apptier) policyset.serverCertSet.pp24.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.24 policyset.serverCertSet.pp24.constraint.params.extCritical=false policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier (pp_apptier) policyset.serverCertSet.pp24.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.24 policyset.serverCertSet.pp24.default.params.userExtCritical=false policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname (pp_hostname) policyset.serverCertSet.pp25.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.25 policyset.serverCertSet.pp25.constraint.params.extCritical=false policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp25.default.name=Puppet Node Hostname (pp_hostname) policyset.serverCertSet.pp25.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.25 policyset.serverCertSet.pp25.default.params.userExtCritical=false > > restart the CA and apply a CSR to the modified profile that has a user > supplied extension for that OID, and a value, they should then appear in the > X509v3 extensions of the issued certificate > > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu wrote: >> >> Hi list, >> I'm currently trying to add some extensions (For puppet trusted >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html) >> to my certificates. As far as I understand, I have to create / modify >> a profile to do so. From the CSR, I can see the request extension >> >> >> Requested Extensions: >> 1.3.6.1.4.1.34380.1.1.13: >> ..my_puppet_role >> X509v3 Subject Alternative Name: >> >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 >> retrieve it's value in $request$ ? Is there something similar, >> somewhere that I can use as an example ? a doc to read ? >> >> Many thanks >> Joris >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > From msauton at redhat.com Fri Dec 9 18:53:57 2016 From: msauton at redhat.com (Marc Sauton) Date: Fri, 9 Dec 2016 10:53:57 -0800 Subject: [Pki-users] How to add a custom extension to a profile In-Reply-To: References: Message-ID: Glad it helps. Note in the context of IPA, the PKI / Dogtag profiles are now stored in the LDAP server backend, so the procedure is different in FreeIPA 4.4. If those changes are working fine in your environment, and if this may benefit others, as puppet makes use of more PKI, I would propose to open a RFE to add a new profile by default in the Dogtag project (so it can make its way to FreeIPA), and/or document this in the wiki or on an article that I can add to https://access.redhat.com/ for the "Red Hat Certificate System" product. Thanks for any feedback, M. On Fri, Dec 9, 2016 at 1:50 AM, joris dedieu wrote: > Hi Marc, > > 2016-12-09 1:05 GMT+01:00 Marc Sauton : > > you could try to mofidy a profile for SSL server certificat enrollment: > > > > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig > > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > > ...snip... > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp > > ...snip... > > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl > > policyset.serverCertSet.pp.constraint.name=Extension Constraint > > policyset.serverCertSet.pp.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.13 > > policyset.serverCertSet.pp.constraint.params.extCritical=false > > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp.default.name=User Supplied Key Usage > Extension > > policyset.serverCertSet.pp.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.13 > > policyset.serverCertSet.pp.default.params.userExtCritical=false > > Excellent, it works like a charm ! I just changed > extensionConstraintImpl to noConstraintImpl so that the extensions are > not mandatory anymore. Here the complete puppet trusted facts > sequence. Useful to use DogTag (FreeIPA in my case) as an external > pki for Puppet. > > > > Many thanks > Joris > > policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid) > policyset.serverCertSet.pp1.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.1 > policyset.serverCertSet.pp1.constraint.params.extCritical=false > policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid) > policyset.serverCertSet.pp1.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.1 > policyset.serverCertSet.pp1.default.params.userExtCritical=false > policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID > (pp_instance_id) > policyset.serverCertSet.pp2.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.2 > policyset.serverCertSet.pp2.constraint.params.extCritical=false > policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID > (pp_instance_id) > policyset.serverCertSet.pp2.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.2 > policyset.serverCertSet.pp2.default.params.userExtCritical=false > policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name > (pp_image_name) > policyset.serverCertSet.pp3.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.3 > policyset.serverCertSet.pp3.constraint.params.extCritical=false > policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp3.default.name=Puppet Node Image Name > (pp_image_name) > policyset.serverCertSet.pp3.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.3 > policyset.serverCertSet.pp3.default.params.userExtCritical=false > policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key > (pp_preshared_key) > policyset.serverCertSet.pp4.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.4 > policyset.serverCertSet.pp4.constraint.params.extCritical=false > policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key > (pp_preshared_key) > policyset.serverCertSet.pp4.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.4 > policyset.serverCertSet.pp4.default.params.userExtCritical=false > policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center > Name (pp_cost_center) > policyset.serverCertSet.pp5.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.5 > policyset.serverCertSet.pp5.constraint.params.extCritical=false > policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name > (pp_cost_center) > policyset.serverCertSet.pp5.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.5 > policyset.serverCertSet.pp5.default.params.userExtCritical=false > policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name > (pp_product) > policyset.serverCertSet.pp6.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.6 > policyset.serverCertSet.pp6.constraint.params.extCritical=false > policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp6.default.name=Puppet Node Product Name > (pp_product) > policyset.serverCertSet.pp6.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.6 > policyset.serverCertSet.pp6.default.params.userExtCritical=false > policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name > (pp_project) > policyset.serverCertSet.pp7.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.7 > policyset.serverCertSet.pp7.constraint.params.extCritical=false > policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp7.default.name=Puppet Node Project Name > (pp_project) > policyset.serverCertSet.pp7.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.7 > policyset.serverCertSet.pp7.default.params.userExtCritical=false > policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp8.constraint.name=Puppet Node Application > Name (pp_application) > policyset.serverCertSet.pp8.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.8 > policyset.serverCertSet.pp8.constraint.params.extCritical=false > policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp8.default.name=Puppet Node Application Name > (pp_application) > policyset.serverCertSet.pp8.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.8 > policyset.serverCertSet.pp8.default.params.userExtCritical=false > policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name > (pp_service) > policyset.serverCertSet.pp9.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.9 > policyset.serverCertSet.pp9.constraint.params.extCritical=false > policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp9.default.name=Puppet Node Service Name > (pp_service) > policyset.serverCertSet.pp9.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.9 > policyset.serverCertSet.pp9.default.params.userExtCritical=false > policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name > (pp_employee) > policyset.serverCertSet.pp10.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.10 > policyset.serverCertSet.pp10.constraint.params.extCritical=false > policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name > (pp_employee) > policyset.serverCertSet.pp10.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.10 > policyset.serverCertSet.pp10.default.params.userExtCritical=false > policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by > Tag (pp_created_by) > policyset.serverCertSet.pp11.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.11 > policyset.serverCertSet.pp11.constraint.params.extCritical=false > policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag > (pp_created_by) > policyset.serverCertSet.pp11.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.11 > policyset.serverCertSet.pp11.default.params.userExtCritical=false > policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment > Name (pp_environment) > policyset.serverCertSet.pp12.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.12 > policyset.serverCertSet.pp12.constraint.params.extCritical=false > policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name > (pp_environment) > policyset.serverCertSet.pp12.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.12 > policyset.serverCertSet.pp12.default.params.userExtCritical=false > policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name > (pp_role) > policyset.serverCertSet.pp13.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.13 > policyset.serverCertSet.pp13.constraint.params.extCritical=false > policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role) > policyset.serverCertSet.pp13.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.13 > policyset.serverCertSet.pp13.default.params.userExtCritical=false > policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp14.constraint.name=Puppet Node Software > Version (pp_software_version) > policyset.serverCertSet.pp14.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.14 > policyset.serverCertSet.pp14.constraint.params.extCritical=false > policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp14.default.name=Puppet Node Software Version > (pp_software_version) > policyset.serverCertSet.pp14.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.14 > policyset.serverCertSet.pp14.default.params.userExtCritical=false > policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp15.constraint.name=Puppet Node Department > Name (pp_department) > policyset.serverCertSet.pp15.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.15 > policyset.serverCertSet.pp15.constraint.params.extCritical=false > policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp15.default.name=Puppet Node Department Name > (pp_department) > policyset.serverCertSet.pp15.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.15 > policyset.serverCertSet.pp15.default.params.userExtCritical=false > policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name > (pp_cluster) > policyset.serverCertSet.pp16.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.16 > policyset.serverCertSet.pp16.constraint.params.extCritical=false > policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name > (pp_cluster) > policyset.serverCertSet.pp16.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.16 > policyset.serverCertSet.pp16.default.params.userExtCritical=false > policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner > Name (pp_provisioner) > policyset.serverCertSet.pp17.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.17 > policyset.serverCertSet.pp17.constraint.params.extCritical=false > policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name > (pp_provisioner) > policyset.serverCertSet.pp17.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.17 > policyset.serverCertSet.pp17.default.params.userExtCritical=false > policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name > (pp_region) > policyset.serverCertSet.pp18.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.18 > policyset.serverCertSet.pp18.constraint.params.extCritical=false > policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp18.default.name=Puppet Node Region Name > (pp_region) > policyset.serverCertSet.pp18.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.18 > policyset.serverCertSet.pp18.default.params.userExtCritical=false > policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter > Name (pp_datacenter) > policyset.serverCertSet.pp19.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.19 > policyset.serverCertSet.pp19.constraint.params.extCritical=false > policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name > (pp_datacenter) > policyset.serverCertSet.pp19.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.19 > policyset.serverCertSet.pp19.default.params.userExtCritical=false > policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name > (pp_zone) > policyset.serverCertSet.pp20.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.20 > policyset.serverCertSet.pp20.constraint.params.extCritical=false > policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone) > policyset.serverCertSet.pp20.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.20 > policyset.serverCertSet.pp20.default.params.userExtCritical=false > policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name > (pp_network) > policyset.serverCertSet.pp21.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.21 > policyset.serverCertSet.pp21.constraint.params.extCritical=false > policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp21.default.name=Puppet Node Network Name > (pp_network) > policyset.serverCertSet.pp21.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.21 > policyset.serverCertSet.pp21.default.params.userExtCritical=false > policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp22.constraint.name=Puppet Node Security > Policy Name (pp_securitypolicy) > policyset.serverCertSet.pp22.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.22 > policyset.serverCertSet.pp22.constraint.params.extCritical=false > policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy > Name (pp_securitypolicy) > policyset.serverCertSet.pp22.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.22 > policyset.serverCertSet.pp22.default.params.userExtCritical=false > policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud > Platform Name (pp_cloudplatform) > policyset.serverCertSet.pp23.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.23 > policyset.serverCertSet.pp23.constraint.params.extCritical=false > policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform > Name (pp_cloudplatform) > policyset.serverCertSet.pp23.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.23 > policyset.serverCertSet.pp23.default.params.userExtCritical=false > policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp24.constraint.name=Puppet Node Application > Tier (pp_apptier) > policyset.serverCertSet.pp24.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.24 > policyset.serverCertSet.pp24.constraint.params.extCritical=false > policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier > (pp_apptier) > policyset.serverCertSet.pp24.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.24 > policyset.serverCertSet.pp24.default.params.userExtCritical=false > policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl > policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname > (pp_hostname) > policyset.serverCertSet.pp25.constraint.params.extOID=1.3. > 6.1.4.1.34380.1.1.25 > policyset.serverCertSet.pp25.constraint.params.extCritical=false > policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp25.default.name=Puppet Node Hostname > (pp_hostname) > policyset.serverCertSet.pp25.default.params.userExtOID=1.3. > 6.1.4.1.34380.1.1.25 > policyset.serverCertSet.pp25.default.params.userExtCritical=false > > > > > > > > restart the CA and apply a CSR to the modified profile that has a user > > supplied extension for that OID, and a value, they should then appear in > the > > X509v3 extensions of the issued certificate > > > > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu > wrote: > >> > >> Hi list, > >> I'm currently trying to add some extensions (For puppet trusted > >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_ > extensions.html) > >> to my certificates. As far as I understand, I have to create / modify > >> a profile to do so. From the CSR, I can see the request extension > >> > >> > >> Requested Extensions: > >> 1.3.6.1.4.1.34380.1.1.13: > >> ..my_puppet_role > >> X509v3 Subject Alternative Name: > >> > >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 > >> retrieve it's value in $request$ ? Is there something similar, > >> somewhere that I can use as an example ? a doc to read ? > >> > >> Many thanks > >> Joris > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From spawn at rloteck.net Sat Dec 10 09:22:02 2016 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Sat, 10 Dec 2016 01:22:02 -0800 Subject: [Pki-users] Publishing CRL on Certs Message-ID: Hi Everyone, What configuration file on my Dogtag CA Server do I modify to publish the CRL. And what change do I put on it. I only see the OSCP link on certificates I generate or approve. Any help would be great. Thanks, Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Sat Dec 10 22:26:28 2016 From: msauton at redhat.com (Marc Sauton) Date: Sat, 10 Dec 2016 14:26:28 -0800 Subject: [Pki-users] Publishing CRL on Certs In-Reply-To: References: Message-ID: It is called "CRL publishing" (to file), and there are a few configuration steps all in the "main" configuration file called CS.cfg (e.g. /etc/pki/pki-ca1from80/ca/CS.cfg) stop the CA before any manual edits (need to know what to change), or use the pkiconsole UI to make changes. It may seem a little bit confusing at first, but the system is flexible, with the components called "mappers, publishers, and rules". I will refer to the online documentation for the details and examples: You can have one CRL, CRL issuing points, delta CRLs. http://pki.fedoraproject.org/wiki/CRL_Publishing https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/Publishing.html https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/Configuring_Publishers_for_Publishing_to_a_File.html and https://access.redhat.com/site/solutions/400253 Red Hat Certificate System CRL publishing to file Thanks, M. On Sat, Dec 10, 2016 at 1:22 AM, Rafael Leiva-Ochoa wrote: > Hi Everyone, > > What configuration file on my Dogtag CA Server do I modify to publish > the CRL. And what change do I put on it. I only see the OSCP link on > certificates I generate or approve. Any help would be great. > > Thanks, > > Rafael > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Dec 12 01:18:11 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 11:18:11 +1000 Subject: [Pki-users] How to add a custom extension to a profile In-Reply-To: References: Message-ID: <20161212011811.GD4232@dhcp-40-8.bne.redhat.com> On Fri, Dec 09, 2016 at 10:53:57AM -0800, Marc Sauton wrote: > Glad it helps. > Note in the context of IPA, the PKI / Dogtag profiles are now stored in the > LDAP server backend, so the procedure is different in FreeIPA 4.4. > If those changes are working fine in your environment, and if this may > benefit others, as puppet makes use of more PKI, I would propose to open a > RFE to add a new profile by default in the Dogtag project (so it can make > its way to FreeIPA), and/or document this in the wiki or on an article that > I can add to https://access.redhat.com/ for the "Red Hat Certificate > System" product. > Thanks for any feedback, > M. > Better to open such an RFE against FreeIPA, IMO. There is no need for the profile to be defined by the Dogtag project. Thanks, Fraser > On Fri, Dec 9, 2016 at 1:50 AM, joris dedieu wrote: > > > Hi Marc, > > > > 2016-12-09 1:05 GMT+01:00 Marc Sauton : > > > you could try to mofidy a profile for SSL server certificat enrollment: > > > > > > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > > > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig > > > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > > > ...snip... > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp > > > ...snip... > > > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl > > > policyset.serverCertSet.pp.constraint.name=Extension Constraint > > > policyset.serverCertSet.pp.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.13 > > > policyset.serverCertSet.pp.constraint.params.extCritical=false > > > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl > > > policyset.serverCertSet.pp.default.name=User Supplied Key Usage > > Extension > > > policyset.serverCertSet.pp.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.13 > > > policyset.serverCertSet.pp.default.params.userExtCritical=false > > > > Excellent, it works like a charm ! I just changed > > extensionConstraintImpl to noConstraintImpl so that the extensions are > > not mandatory anymore. Here the complete puppet trusted facts > > sequence. Useful to use DogTag (FreeIPA in my case) as an external > > pki for Puppet. > > > > > > > > Many thanks > > Joris > > > > policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid) > > policyset.serverCertSet.pp1.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.1 > > policyset.serverCertSet.pp1.constraint.params.extCritical=false > > policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid) > > policyset.serverCertSet.pp1.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.1 > > policyset.serverCertSet.pp1.default.params.userExtCritical=false > > policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID > > (pp_instance_id) > > policyset.serverCertSet.pp2.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.2 > > policyset.serverCertSet.pp2.constraint.params.extCritical=false > > policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID > > (pp_instance_id) > > policyset.serverCertSet.pp2.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.2 > > policyset.serverCertSet.pp2.default.params.userExtCritical=false > > policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name > > (pp_image_name) > > policyset.serverCertSet.pp3.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.3 > > policyset.serverCertSet.pp3.constraint.params.extCritical=false > > policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp3.default.name=Puppet Node Image Name > > (pp_image_name) > > policyset.serverCertSet.pp3.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.3 > > policyset.serverCertSet.pp3.default.params.userExtCritical=false > > policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key > > (pp_preshared_key) > > policyset.serverCertSet.pp4.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.4 > > policyset.serverCertSet.pp4.constraint.params.extCritical=false > > policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key > > (pp_preshared_key) > > policyset.serverCertSet.pp4.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.4 > > policyset.serverCertSet.pp4.default.params.userExtCritical=false > > policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center > > Name (pp_cost_center) > > policyset.serverCertSet.pp5.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.5 > > policyset.serverCertSet.pp5.constraint.params.extCritical=false > > policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name > > (pp_cost_center) > > policyset.serverCertSet.pp5.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.5 > > policyset.serverCertSet.pp5.default.params.userExtCritical=false > > policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name > > (pp_product) > > policyset.serverCertSet.pp6.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.6 > > policyset.serverCertSet.pp6.constraint.params.extCritical=false > > policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp6.default.name=Puppet Node Product Name > > (pp_product) > > policyset.serverCertSet.pp6.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.6 > > policyset.serverCertSet.pp6.default.params.userExtCritical=false > > policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name > > (pp_project) > > policyset.serverCertSet.pp7.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.7 > > policyset.serverCertSet.pp7.constraint.params.extCritical=false > > policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp7.default.name=Puppet Node Project Name > > (pp_project) > > policyset.serverCertSet.pp7.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.7 > > policyset.serverCertSet.pp7.default.params.userExtCritical=false > > policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp8.constraint.name=Puppet Node Application > > Name (pp_application) > > policyset.serverCertSet.pp8.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.8 > > policyset.serverCertSet.pp8.constraint.params.extCritical=false > > policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp8.default.name=Puppet Node Application Name > > (pp_application) > > policyset.serverCertSet.pp8.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.8 > > policyset.serverCertSet.pp8.default.params.userExtCritical=false > > policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name > > (pp_service) > > policyset.serverCertSet.pp9.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.9 > > policyset.serverCertSet.pp9.constraint.params.extCritical=false > > policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp9.default.name=Puppet Node Service Name > > (pp_service) > > policyset.serverCertSet.pp9.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.9 > > policyset.serverCertSet.pp9.default.params.userExtCritical=false > > policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name > > (pp_employee) > > policyset.serverCertSet.pp10.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.10 > > policyset.serverCertSet.pp10.constraint.params.extCritical=false > > policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name > > (pp_employee) > > policyset.serverCertSet.pp10.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.10 > > policyset.serverCertSet.pp10.default.params.userExtCritical=false > > policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by > > Tag (pp_created_by) > > policyset.serverCertSet.pp11.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.11 > > policyset.serverCertSet.pp11.constraint.params.extCritical=false > > policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag > > (pp_created_by) > > policyset.serverCertSet.pp11.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.11 > > policyset.serverCertSet.pp11.default.params.userExtCritical=false > > policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment > > Name (pp_environment) > > policyset.serverCertSet.pp12.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.12 > > policyset.serverCertSet.pp12.constraint.params.extCritical=false > > policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name > > (pp_environment) > > policyset.serverCertSet.pp12.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.12 > > policyset.serverCertSet.pp12.default.params.userExtCritical=false > > policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name > > (pp_role) > > policyset.serverCertSet.pp13.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.13 > > policyset.serverCertSet.pp13.constraint.params.extCritical=false > > policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role) > > policyset.serverCertSet.pp13.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.13 > > policyset.serverCertSet.pp13.default.params.userExtCritical=false > > policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp14.constraint.name=Puppet Node Software > > Version (pp_software_version) > > policyset.serverCertSet.pp14.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.14 > > policyset.serverCertSet.pp14.constraint.params.extCritical=false > > policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp14.default.name=Puppet Node Software Version > > (pp_software_version) > > policyset.serverCertSet.pp14.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.14 > > policyset.serverCertSet.pp14.default.params.userExtCritical=false > > policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp15.constraint.name=Puppet Node Department > > Name (pp_department) > > policyset.serverCertSet.pp15.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.15 > > policyset.serverCertSet.pp15.constraint.params.extCritical=false > > policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp15.default.name=Puppet Node Department Name > > (pp_department) > > policyset.serverCertSet.pp15.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.15 > > policyset.serverCertSet.pp15.default.params.userExtCritical=false > > policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name > > (pp_cluster) > > policyset.serverCertSet.pp16.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.16 > > policyset.serverCertSet.pp16.constraint.params.extCritical=false > > policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name > > (pp_cluster) > > policyset.serverCertSet.pp16.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.16 > > policyset.serverCertSet.pp16.default.params.userExtCritical=false > > policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner > > Name (pp_provisioner) > > policyset.serverCertSet.pp17.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.17 > > policyset.serverCertSet.pp17.constraint.params.extCritical=false > > policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name > > (pp_provisioner) > > policyset.serverCertSet.pp17.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.17 > > policyset.serverCertSet.pp17.default.params.userExtCritical=false > > policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name > > (pp_region) > > policyset.serverCertSet.pp18.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.18 > > policyset.serverCertSet.pp18.constraint.params.extCritical=false > > policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp18.default.name=Puppet Node Region Name > > (pp_region) > > policyset.serverCertSet.pp18.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.18 > > policyset.serverCertSet.pp18.default.params.userExtCritical=false > > policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter > > Name (pp_datacenter) > > policyset.serverCertSet.pp19.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.19 > > policyset.serverCertSet.pp19.constraint.params.extCritical=false > > policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name > > (pp_datacenter) > > policyset.serverCertSet.pp19.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.19 > > policyset.serverCertSet.pp19.default.params.userExtCritical=false > > policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name > > (pp_zone) > > policyset.serverCertSet.pp20.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.20 > > policyset.serverCertSet.pp20.constraint.params.extCritical=false > > policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone) > > policyset.serverCertSet.pp20.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.20 > > policyset.serverCertSet.pp20.default.params.userExtCritical=false > > policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name > > (pp_network) > > policyset.serverCertSet.pp21.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.21 > > policyset.serverCertSet.pp21.constraint.params.extCritical=false > > policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp21.default.name=Puppet Node Network Name > > (pp_network) > > policyset.serverCertSet.pp21.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.21 > > policyset.serverCertSet.pp21.default.params.userExtCritical=false > > policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp22.constraint.name=Puppet Node Security > > Policy Name (pp_securitypolicy) > > policyset.serverCertSet.pp22.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.22 > > policyset.serverCertSet.pp22.constraint.params.extCritical=false > > policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy > > Name (pp_securitypolicy) > > policyset.serverCertSet.pp22.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.22 > > policyset.serverCertSet.pp22.default.params.userExtCritical=false > > policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud > > Platform Name (pp_cloudplatform) > > policyset.serverCertSet.pp23.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.23 > > policyset.serverCertSet.pp23.constraint.params.extCritical=false > > policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform > > Name (pp_cloudplatform) > > policyset.serverCertSet.pp23.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.23 > > policyset.serverCertSet.pp23.default.params.userExtCritical=false > > policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp24.constraint.name=Puppet Node Application > > Tier (pp_apptier) > > policyset.serverCertSet.pp24.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.24 > > policyset.serverCertSet.pp24.constraint.params.extCritical=false > > policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier > > (pp_apptier) > > policyset.serverCertSet.pp24.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.24 > > policyset.serverCertSet.pp24.default.params.userExtCritical=false > > policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname > > (pp_hostname) > > policyset.serverCertSet.pp25.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.25 > > policyset.serverCertSet.pp25.constraint.params.extCritical=false > > policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp25.default.name=Puppet Node Hostname > > (pp_hostname) > > policyset.serverCertSet.pp25.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.25 > > policyset.serverCertSet.pp25.default.params.userExtCritical=false > > > > > > > > > > > > > > restart the CA and apply a CSR to the modified profile that has a user > > > supplied extension for that OID, and a value, they should then appear in > > the > > > X509v3 extensions of the issued certificate > > > > > > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu > > wrote: > > >> > > >> Hi list, > > >> I'm currently trying to add some extensions (For puppet trusted > > >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_ > > extensions.html) > > >> to my certificates. As far as I understand, I have to create / modify > > >> a profile to do so. From the CSR, I can see the request extension > > >> > > >> > > >> Requested Extensions: > > >> 1.3.6.1.4.1.34380.1.1.13: > > >> ..my_puppet_role > > >> X509v3 Subject Alternative Name: > > >> > > >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 > > >> retrieve it's value in $request$ ? Is there something similar, > > >> somewhere that I can use as an example ? a doc to read ? > > >> > > >> Many thanks > > >> Joris > > >> > > >> _______________________________________________ > > >> Pki-users mailing list > > >> Pki-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users