[Pki-users] How to add a custom extension to a profile
Marc Sauton
msauton at redhat.com
Fri Dec 9 00:05:53 UTC 2016
you could try to mofidy a profile for SSL server certificat enrollment:
cp
-p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
/var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig
vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
...snip...
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp
...snip...
policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl
policyset.serverCertSet.pp.constraint.name=Extension Constraint
policyset.serverCertSet.pp.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp.constraint.params.extCritical=false
policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp.default.name=User Supplied Key Usage Extension
policyset.serverCertSet.pp.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp.default.params.userExtCritical=false
restart the CA and apply a CSR to the modified profile that has a user
supplied extension for that OID, and a value, they should then appear in
the X509v3 extensions of the issued certificate
On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <joris.dedieu at gmail.com> wrote:
> Hi list,
> I'm currently trying to add some extensions (For puppet trusted
> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html)
> to my certificates. As far as I understand, I have to create / modify
> a profile to do so. From the CSR, I can see the request extension
>
>
> Requested Extensions:
> 1.3.6.1.4.1.34380.1.1.13:
> ..my_puppet_role
> X509v3 Subject Alternative Name:
>
> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13
> retrieve it's value in $request$ ? Is there something similar,
> somewhere that I can use as an example ? a doc to read ?
>
> Many thanks
> Joris
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161208/9ce7e5e5/attachment.htm>
More information about the Pki-users
mailing list