[Pki-users] SubjectAltName - how?

[Supper Florian 6342 sIT]

Hi, 
You have to add the following lines into your certificate profile..

policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17

Then the SAN's will be added to the certificate.

BR
Florian

-----Ursprüngliche Nachricht-----
Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users at redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]

Hi all,

I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.

I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.

What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it.   An example cnf file I have tried
is

[ .  .  . ]
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names

[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com

[ .  .  . ]

This generates a valid CSR with the SubjectAltNames in it.   However when I
send it through to be approved on Dogtag, the SAN gets removed.  How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?

Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https :  /  / www . redhat . com / mailman / listinfo / pki-users