[Pki-users] How to add a custom extension to a profile
Marc Sauton
msauton at redhat.com
Fri Dec 9 18:53:57 UTC 2016
Glad it helps.
Note in the context of IPA, the PKI / Dogtag profiles are now stored in the
LDAP server backend, so the procedure is different in FreeIPA 4.4.
If those changes are working fine in your environment, and if this may
benefit others, as puppet makes use of more PKI, I would propose to open a
RFE to add a new profile by default in the Dogtag project (so it can make
its way to FreeIPA), and/or document this in the wiki or on an article that
I can add to https://access.redhat.com/ for the "Red Hat Certificate
System" product.
Thanks for any feedback,
M.
On Fri, Dec 9, 2016 at 1:50 AM, joris dedieu <joris.dedieu at gmail.com> wrote:
> Hi Marc,
>
> 2016-12-09 1:05 GMT+01:00 Marc Sauton <msauton at redhat.com>:
> > you could try to mofidy a profile for SSL server certificat enrollment:
> >
> > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
> > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig
> > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
> > ...snip...
> > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp
> > ...snip...
> > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl
> > policyset.serverCertSet.pp.constraint.name=Extension Constraint
> > policyset.serverCertSet.pp.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.13
> > policyset.serverCertSet.pp.constraint.params.extCritical=false
> > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp.default.name=User Supplied Key Usage
> Extension
> > policyset.serverCertSet.pp.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.13
> > policyset.serverCertSet.pp.default.params.userExtCritical=false
>
> Excellent, it works like a charm ! I just changed
> extensionConstraintImpl to noConstraintImpl so that the extensions are
> not mandatory anymore. Here the complete puppet trusted facts
> sequence. Useful to use DogTag (FreeIPA in my case) as an external
> pki for Puppet.
>
>
>
> Many thanks
> Joris
>
> policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid)
> policyset.serverCertSet.pp1.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.1
> policyset.serverCertSet.pp1.constraint.params.extCritical=false
> policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid)
> policyset.serverCertSet.pp1.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.1
> policyset.serverCertSet.pp1.default.params.userExtCritical=false
> policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID
> (pp_instance_id)
> policyset.serverCertSet.pp2.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.2
> policyset.serverCertSet.pp2.constraint.params.extCritical=false
> policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID
> (pp_instance_id)
> policyset.serverCertSet.pp2.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.2
> policyset.serverCertSet.pp2.default.params.userExtCritical=false
> policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name
> (pp_image_name)
> policyset.serverCertSet.pp3.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.3
> policyset.serverCertSet.pp3.constraint.params.extCritical=false
> policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp3.default.name=Puppet Node Image Name
> (pp_image_name)
> policyset.serverCertSet.pp3.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.3
> policyset.serverCertSet.pp3.default.params.userExtCritical=false
> policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key
> (pp_preshared_key)
> policyset.serverCertSet.pp4.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.4
> policyset.serverCertSet.pp4.constraint.params.extCritical=false
> policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key
> (pp_preshared_key)
> policyset.serverCertSet.pp4.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.4
> policyset.serverCertSet.pp4.default.params.userExtCritical=false
> policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center
> Name (pp_cost_center)
> policyset.serverCertSet.pp5.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.5
> policyset.serverCertSet.pp5.constraint.params.extCritical=false
> policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name
> (pp_cost_center)
> policyset.serverCertSet.pp5.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.5
> policyset.serverCertSet.pp5.default.params.userExtCritical=false
> policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name
> (pp_product)
> policyset.serverCertSet.pp6.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.6
> policyset.serverCertSet.pp6.constraint.params.extCritical=false
> policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp6.default.name=Puppet Node Product Name
> (pp_product)
> policyset.serverCertSet.pp6.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.6
> policyset.serverCertSet.pp6.default.params.userExtCritical=false
> policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name
> (pp_project)
> policyset.serverCertSet.pp7.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.7
> policyset.serverCertSet.pp7.constraint.params.extCritical=false
> policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp7.default.name=Puppet Node Project Name
> (pp_project)
> policyset.serverCertSet.pp7.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.7
> policyset.serverCertSet.pp7.default.params.userExtCritical=false
> policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp8.constraint.name=Puppet Node Application
> Name (pp_application)
> policyset.serverCertSet.pp8.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.8
> policyset.serverCertSet.pp8.constraint.params.extCritical=false
> policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp8.default.name=Puppet Node Application Name
> (pp_application)
> policyset.serverCertSet.pp8.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.8
> policyset.serverCertSet.pp8.default.params.userExtCritical=false
> policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name
> (pp_service)
> policyset.serverCertSet.pp9.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.9
> policyset.serverCertSet.pp9.constraint.params.extCritical=false
> policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp9.default.name=Puppet Node Service Name
> (pp_service)
> policyset.serverCertSet.pp9.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.9
> policyset.serverCertSet.pp9.default.params.userExtCritical=false
> policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name
> (pp_employee)
> policyset.serverCertSet.pp10.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.10
> policyset.serverCertSet.pp10.constraint.params.extCritical=false
> policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name
> (pp_employee)
> policyset.serverCertSet.pp10.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.10
> policyset.serverCertSet.pp10.default.params.userExtCritical=false
> policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by
> Tag (pp_created_by)
> policyset.serverCertSet.pp11.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.11
> policyset.serverCertSet.pp11.constraint.params.extCritical=false
> policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag
> (pp_created_by)
> policyset.serverCertSet.pp11.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.11
> policyset.serverCertSet.pp11.default.params.userExtCritical=false
> policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment
> Name (pp_environment)
> policyset.serverCertSet.pp12.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.12
> policyset.serverCertSet.pp12.constraint.params.extCritical=false
> policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name
> (pp_environment)
> policyset.serverCertSet.pp12.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.12
> policyset.serverCertSet.pp12.default.params.userExtCritical=false
> policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name
> (pp_role)
> policyset.serverCertSet.pp13.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.13
> policyset.serverCertSet.pp13.constraint.params.extCritical=false
> policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role)
> policyset.serverCertSet.pp13.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.13
> policyset.serverCertSet.pp13.default.params.userExtCritical=false
> policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp14.constraint.name=Puppet Node Software
> Version (pp_software_version)
> policyset.serverCertSet.pp14.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.14
> policyset.serverCertSet.pp14.constraint.params.extCritical=false
> policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp14.default.name=Puppet Node Software Version
> (pp_software_version)
> policyset.serverCertSet.pp14.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.14
> policyset.serverCertSet.pp14.default.params.userExtCritical=false
> policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp15.constraint.name=Puppet Node Department
> Name (pp_department)
> policyset.serverCertSet.pp15.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.15
> policyset.serverCertSet.pp15.constraint.params.extCritical=false
> policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp15.default.name=Puppet Node Department Name
> (pp_department)
> policyset.serverCertSet.pp15.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.15
> policyset.serverCertSet.pp15.default.params.userExtCritical=false
> policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name
> (pp_cluster)
> policyset.serverCertSet.pp16.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.16
> policyset.serverCertSet.pp16.constraint.params.extCritical=false
> policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name
> (pp_cluster)
> policyset.serverCertSet.pp16.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.16
> policyset.serverCertSet.pp16.default.params.userExtCritical=false
> policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner
> Name (pp_provisioner)
> policyset.serverCertSet.pp17.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.17
> policyset.serverCertSet.pp17.constraint.params.extCritical=false
> policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name
> (pp_provisioner)
> policyset.serverCertSet.pp17.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.17
> policyset.serverCertSet.pp17.default.params.userExtCritical=false
> policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name
> (pp_region)
> policyset.serverCertSet.pp18.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.18
> policyset.serverCertSet.pp18.constraint.params.extCritical=false
> policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp18.default.name=Puppet Node Region Name
> (pp_region)
> policyset.serverCertSet.pp18.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.18
> policyset.serverCertSet.pp18.default.params.userExtCritical=false
> policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter
> Name (pp_datacenter)
> policyset.serverCertSet.pp19.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.19
> policyset.serverCertSet.pp19.constraint.params.extCritical=false
> policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name
> (pp_datacenter)
> policyset.serverCertSet.pp19.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.19
> policyset.serverCertSet.pp19.default.params.userExtCritical=false
> policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name
> (pp_zone)
> policyset.serverCertSet.pp20.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.20
> policyset.serverCertSet.pp20.constraint.params.extCritical=false
> policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone)
> policyset.serverCertSet.pp20.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.20
> policyset.serverCertSet.pp20.default.params.userExtCritical=false
> policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name
> (pp_network)
> policyset.serverCertSet.pp21.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.21
> policyset.serverCertSet.pp21.constraint.params.extCritical=false
> policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp21.default.name=Puppet Node Network Name
> (pp_network)
> policyset.serverCertSet.pp21.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.21
> policyset.serverCertSet.pp21.default.params.userExtCritical=false
> policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp22.constraint.name=Puppet Node Security
> Policy Name (pp_securitypolicy)
> policyset.serverCertSet.pp22.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.22
> policyset.serverCertSet.pp22.constraint.params.extCritical=false
> policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy
> Name (pp_securitypolicy)
> policyset.serverCertSet.pp22.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.22
> policyset.serverCertSet.pp22.default.params.userExtCritical=false
> policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud
> Platform Name (pp_cloudplatform)
> policyset.serverCertSet.pp23.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.23
> policyset.serverCertSet.pp23.constraint.params.extCritical=false
> policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform
> Name (pp_cloudplatform)
> policyset.serverCertSet.pp23.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.23
> policyset.serverCertSet.pp23.default.params.userExtCritical=false
> policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp24.constraint.name=Puppet Node Application
> Tier (pp_apptier)
> policyset.serverCertSet.pp24.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.24
> policyset.serverCertSet.pp24.constraint.params.extCritical=false
> policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier
> (pp_apptier)
> policyset.serverCertSet.pp24.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.24
> policyset.serverCertSet.pp24.default.params.userExtCritical=false
> policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname
> (pp_hostname)
> policyset.serverCertSet.pp25.constraint.params.extOID=1.3.
> 6.1.4.1.34380.1.1.25
> policyset.serverCertSet.pp25.constraint.params.extCritical=false
> policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp25.default.name=Puppet Node Hostname
> (pp_hostname)
> policyset.serverCertSet.pp25.default.params.userExtOID=1.3.
> 6.1.4.1.34380.1.1.25
> policyset.serverCertSet.pp25.default.params.userExtCritical=false
>
>
>
>
> >
> > restart the CA and apply a CSR to the modified profile that has a user
> > supplied extension for that OID, and a value, they should then appear in
> the
> > X509v3 extensions of the issued certificate
> >
> > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <joris.dedieu at gmail.com>
> wrote:
> >>
> >> Hi list,
> >> I'm currently trying to add some extensions (For puppet trusted
> >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_
> extensions.html)
> >> to my certificates. As far as I understand, I have to create / modify
> >> a profile to do so. From the CSR, I can see the request extension
> >>
> >>
> >> Requested Extensions:
> >> 1.3.6.1.4.1.34380.1.1.13:
> >> ..my_puppet_role
> >> X509v3 Subject Alternative Name:
> >>
> >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13
> >> retrieve it's value in $request$ ? Is there something similar,
> >> somewhere that I can use as an example ? a doc to read ?
> >>
> >> Many thanks
> >> Joris
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161209/6da1eacb/attachment.htm>
More information about the Pki-users
mailing list