[Pki-users] How to add a custom extension to a profile
Fraser Tweedale
ftweedal at redhat.com
Mon Dec 12 01:18:11 UTC 2016
On Fri, Dec 09, 2016 at 10:53:57AM -0800, Marc Sauton wrote:
> Glad it helps.
> Note in the context of IPA, the PKI / Dogtag profiles are now stored in the
> LDAP server backend, so the procedure is different in FreeIPA 4.4.
> If those changes are working fine in your environment, and if this may
> benefit others, as puppet makes use of more PKI, I would propose to open a
> RFE to add a new profile by default in the Dogtag project (so it can make
> its way to FreeIPA), and/or document this in the wiki or on an article that
> I can add to https://access.redhat.com/ for the "Red Hat Certificate
> System" product.
> Thanks for any feedback,
> M.
>
Better to open such an RFE against FreeIPA, IMO. There is no need
for the profile to be defined by the Dogtag project.
Thanks,
Fraser
> On Fri, Dec 9, 2016 at 1:50 AM, joris dedieu <joris.dedieu at gmail.com> wrote:
>
> > Hi Marc,
> >
> > 2016-12-09 1:05 GMT+01:00 Marc Sauton <msauton at redhat.com>:
> > > you could try to mofidy a profile for SSL server certificat enrollment:
> > >
> > > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
> > > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig
> > > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
> > > ...snip...
> > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp
> > > ...snip...
> > > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl
> > > policyset.serverCertSet.pp.constraint.name=Extension Constraint
> > > policyset.serverCertSet.pp.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.13
> > > policyset.serverCertSet.pp.constraint.params.extCritical=false
> > > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl
> > > policyset.serverCertSet.pp.default.name=User Supplied Key Usage
> > Extension
> > > policyset.serverCertSet.pp.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.13
> > > policyset.serverCertSet.pp.default.params.userExtCritical=false
> >
> > Excellent, it works like a charm ! I just changed
> > extensionConstraintImpl to noConstraintImpl so that the extensions are
> > not mandatory anymore. Here the complete puppet trusted facts
> > sequence. Useful to use DogTag (FreeIPA in my case) as an external
> > pki for Puppet.
> >
> >
> >
> > Many thanks
> > Joris
> >
> > policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid)
> > policyset.serverCertSet.pp1.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.1
> > policyset.serverCertSet.pp1.constraint.params.extCritical=false
> > policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid)
> > policyset.serverCertSet.pp1.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.1
> > policyset.serverCertSet.pp1.default.params.userExtCritical=false
> > policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID
> > (pp_instance_id)
> > policyset.serverCertSet.pp2.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.2
> > policyset.serverCertSet.pp2.constraint.params.extCritical=false
> > policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID
> > (pp_instance_id)
> > policyset.serverCertSet.pp2.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.2
> > policyset.serverCertSet.pp2.default.params.userExtCritical=false
> > policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name
> > (pp_image_name)
> > policyset.serverCertSet.pp3.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.3
> > policyset.serverCertSet.pp3.constraint.params.extCritical=false
> > policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp3.default.name=Puppet Node Image Name
> > (pp_image_name)
> > policyset.serverCertSet.pp3.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.3
> > policyset.serverCertSet.pp3.default.params.userExtCritical=false
> > policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key
> > (pp_preshared_key)
> > policyset.serverCertSet.pp4.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.4
> > policyset.serverCertSet.pp4.constraint.params.extCritical=false
> > policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key
> > (pp_preshared_key)
> > policyset.serverCertSet.pp4.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.4
> > policyset.serverCertSet.pp4.default.params.userExtCritical=false
> > policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center
> > Name (pp_cost_center)
> > policyset.serverCertSet.pp5.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.5
> > policyset.serverCertSet.pp5.constraint.params.extCritical=false
> > policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name
> > (pp_cost_center)
> > policyset.serverCertSet.pp5.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.5
> > policyset.serverCertSet.pp5.default.params.userExtCritical=false
> > policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name
> > (pp_product)
> > policyset.serverCertSet.pp6.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.6
> > policyset.serverCertSet.pp6.constraint.params.extCritical=false
> > policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp6.default.name=Puppet Node Product Name
> > (pp_product)
> > policyset.serverCertSet.pp6.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.6
> > policyset.serverCertSet.pp6.default.params.userExtCritical=false
> > policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name
> > (pp_project)
> > policyset.serverCertSet.pp7.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.7
> > policyset.serverCertSet.pp7.constraint.params.extCritical=false
> > policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp7.default.name=Puppet Node Project Name
> > (pp_project)
> > policyset.serverCertSet.pp7.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.7
> > policyset.serverCertSet.pp7.default.params.userExtCritical=false
> > policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp8.constraint.name=Puppet Node Application
> > Name (pp_application)
> > policyset.serverCertSet.pp8.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.8
> > policyset.serverCertSet.pp8.constraint.params.extCritical=false
> > policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp8.default.name=Puppet Node Application Name
> > (pp_application)
> > policyset.serverCertSet.pp8.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.8
> > policyset.serverCertSet.pp8.default.params.userExtCritical=false
> > policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name
> > (pp_service)
> > policyset.serverCertSet.pp9.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.9
> > policyset.serverCertSet.pp9.constraint.params.extCritical=false
> > policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp9.default.name=Puppet Node Service Name
> > (pp_service)
> > policyset.serverCertSet.pp9.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.9
> > policyset.serverCertSet.pp9.default.params.userExtCritical=false
> > policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name
> > (pp_employee)
> > policyset.serverCertSet.pp10.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.10
> > policyset.serverCertSet.pp10.constraint.params.extCritical=false
> > policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name
> > (pp_employee)
> > policyset.serverCertSet.pp10.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.10
> > policyset.serverCertSet.pp10.default.params.userExtCritical=false
> > policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by
> > Tag (pp_created_by)
> > policyset.serverCertSet.pp11.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.11
> > policyset.serverCertSet.pp11.constraint.params.extCritical=false
> > policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag
> > (pp_created_by)
> > policyset.serverCertSet.pp11.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.11
> > policyset.serverCertSet.pp11.default.params.userExtCritical=false
> > policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment
> > Name (pp_environment)
> > policyset.serverCertSet.pp12.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.12
> > policyset.serverCertSet.pp12.constraint.params.extCritical=false
> > policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name
> > (pp_environment)
> > policyset.serverCertSet.pp12.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.12
> > policyset.serverCertSet.pp12.default.params.userExtCritical=false
> > policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name
> > (pp_role)
> > policyset.serverCertSet.pp13.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.13
> > policyset.serverCertSet.pp13.constraint.params.extCritical=false
> > policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role)
> > policyset.serverCertSet.pp13.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.13
> > policyset.serverCertSet.pp13.default.params.userExtCritical=false
> > policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp14.constraint.name=Puppet Node Software
> > Version (pp_software_version)
> > policyset.serverCertSet.pp14.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.14
> > policyset.serverCertSet.pp14.constraint.params.extCritical=false
> > policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp14.default.name=Puppet Node Software Version
> > (pp_software_version)
> > policyset.serverCertSet.pp14.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.14
> > policyset.serverCertSet.pp14.default.params.userExtCritical=false
> > policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp15.constraint.name=Puppet Node Department
> > Name (pp_department)
> > policyset.serverCertSet.pp15.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.15
> > policyset.serverCertSet.pp15.constraint.params.extCritical=false
> > policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp15.default.name=Puppet Node Department Name
> > (pp_department)
> > policyset.serverCertSet.pp15.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.15
> > policyset.serverCertSet.pp15.default.params.userExtCritical=false
> > policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name
> > (pp_cluster)
> > policyset.serverCertSet.pp16.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.16
> > policyset.serverCertSet.pp16.constraint.params.extCritical=false
> > policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name
> > (pp_cluster)
> > policyset.serverCertSet.pp16.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.16
> > policyset.serverCertSet.pp16.default.params.userExtCritical=false
> > policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner
> > Name (pp_provisioner)
> > policyset.serverCertSet.pp17.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.17
> > policyset.serverCertSet.pp17.constraint.params.extCritical=false
> > policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name
> > (pp_provisioner)
> > policyset.serverCertSet.pp17.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.17
> > policyset.serverCertSet.pp17.default.params.userExtCritical=false
> > policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name
> > (pp_region)
> > policyset.serverCertSet.pp18.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.18
> > policyset.serverCertSet.pp18.constraint.params.extCritical=false
> > policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp18.default.name=Puppet Node Region Name
> > (pp_region)
> > policyset.serverCertSet.pp18.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.18
> > policyset.serverCertSet.pp18.default.params.userExtCritical=false
> > policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter
> > Name (pp_datacenter)
> > policyset.serverCertSet.pp19.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.19
> > policyset.serverCertSet.pp19.constraint.params.extCritical=false
> > policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name
> > (pp_datacenter)
> > policyset.serverCertSet.pp19.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.19
> > policyset.serverCertSet.pp19.default.params.userExtCritical=false
> > policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name
> > (pp_zone)
> > policyset.serverCertSet.pp20.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.20
> > policyset.serverCertSet.pp20.constraint.params.extCritical=false
> > policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone)
> > policyset.serverCertSet.pp20.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.20
> > policyset.serverCertSet.pp20.default.params.userExtCritical=false
> > policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name
> > (pp_network)
> > policyset.serverCertSet.pp21.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.21
> > policyset.serverCertSet.pp21.constraint.params.extCritical=false
> > policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp21.default.name=Puppet Node Network Name
> > (pp_network)
> > policyset.serverCertSet.pp21.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.21
> > policyset.serverCertSet.pp21.default.params.userExtCritical=false
> > policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp22.constraint.name=Puppet Node Security
> > Policy Name (pp_securitypolicy)
> > policyset.serverCertSet.pp22.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.22
> > policyset.serverCertSet.pp22.constraint.params.extCritical=false
> > policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy
> > Name (pp_securitypolicy)
> > policyset.serverCertSet.pp22.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.22
> > policyset.serverCertSet.pp22.default.params.userExtCritical=false
> > policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud
> > Platform Name (pp_cloudplatform)
> > policyset.serverCertSet.pp23.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.23
> > policyset.serverCertSet.pp23.constraint.params.extCritical=false
> > policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform
> > Name (pp_cloudplatform)
> > policyset.serverCertSet.pp23.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.23
> > policyset.serverCertSet.pp23.default.params.userExtCritical=false
> > policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp24.constraint.name=Puppet Node Application
> > Tier (pp_apptier)
> > policyset.serverCertSet.pp24.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.24
> > policyset.serverCertSet.pp24.constraint.params.extCritical=false
> > policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier
> > (pp_apptier)
> > policyset.serverCertSet.pp24.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.24
> > policyset.serverCertSet.pp24.default.params.userExtCritical=false
> > policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname
> > (pp_hostname)
> > policyset.serverCertSet.pp25.constraint.params.extOID=1.3.
> > 6.1.4.1.34380.1.1.25
> > policyset.serverCertSet.pp25.constraint.params.extCritical=false
> > policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl
> > policyset.serverCertSet.pp25.default.name=Puppet Node Hostname
> > (pp_hostname)
> > policyset.serverCertSet.pp25.default.params.userExtOID=1.3.
> > 6.1.4.1.34380.1.1.25
> > policyset.serverCertSet.pp25.default.params.userExtCritical=false
> >
> >
> >
> >
> > >
> > > restart the CA and apply a CSR to the modified profile that has a user
> > > supplied extension for that OID, and a value, they should then appear in
> > the
> > > X509v3 extensions of the issued certificate
> > >
> > > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <joris.dedieu at gmail.com>
> > wrote:
> > >>
> > >> Hi list,
> > >> I'm currently trying to add some extensions (For puppet trusted
> > >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_
> > extensions.html)
> > >> to my certificates. As far as I understand, I have to create / modify
> > >> a profile to do so. From the CSR, I can see the request extension
> > >>
> > >>
> > >> Requested Extensions:
> > >> 1.3.6.1.4.1.34380.1.1.13:
> > >> ..my_puppet_role
> > >> X509v3 Subject Alternative Name:
> > >>
> > >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13
> > >> retrieve it's value in $request$ ? Is there something similar,
> > >> somewhere that I can use as an example ? a doc to read ?
> > >>
> > >> Many thanks
> > >> Joris
> > >>
> > >> _______________________________________________
> > >> Pki-users mailing list
> > >> Pki-users at redhat.com
> > >> https://www.redhat.com/mailman/listinfo/pki-users
> > >
> > >
> >
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list