[Pki-users] SubjectAltName - how?

Ian Koenig iguy at ionsphere.org
Tue Nov 15 18:57:04 UTC 2016 

Thanks Supper.   Is there a clear documentation on how to create a new
certificate profile that is visible via the WebUI?

I tried this process:

1) pki -C client_password.txt -n caadmin ca-server-show --output
caServerSANCert.cfg --raw caServerCert

   a) Add in the lines you specified above to caServerSANCert.cfg

   b) Update the line profileID to be caServerSANCert

4) pki -C client_password.txt -n caadmin ca-profile-add --raw
caServerSANCert.cfg

5) Approve this new profile.

What happens when I attempt to issue a cert request via the WebUI, there
are no inputs for me to fill in like the default caServerCert profile.
Just some text about Cert profile and description, then Inputs in bold and
a Submit button.


Thanks
ian


On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <
Florian.Supper at s-itsolutions.at> wrote:

> Hi,
> You have to add the following lines into your certificate profile..
>
> policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
> policyset.ServerProfile.10.constraint.name=No Constraint
> policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
> policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
> policyset.ServerProfile.10.default.name=User Supplied Extension Default
> policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
>
> Then the SAN's will be added to the certificate.
>
> BR
> Florian
>
> -----Ursprüngliche Nachricht-----
> Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
> Im Auftrag von Ian Koenig
> Gesendet: Montag, 14. November 2016 19:18
> An: pki-users at redhat.com
> Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
>
> Hi all,
>
> I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS
> 7 . 2
> (build 1511) system.
>
> I can request and approve various different certs through the system
> successfully and have it working properly with SSL client certificates in
> Chrome.
>
> What I haven't been able to figure out is how to generate a server SSL Cert
> that has SubjectAltName entries in it.   An example cnf file I have tried
> is
>
> [ .  .  . ]
> [ v3_req ]
>
> # Extensions to add to a certificate request
>
> basicConstraints = CA : FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> subjectAltName = (at)alt_names
>
> [ alt_names ]
> DNS . 1 = demo . myhome . com
> DNS . 2 = demo
> DNS . 3 = demo . prod . myhome . com
>
> [ .  .  . ]
>
> This generates a valid CSR with the SubjectAltNames in it.   However when I
> send it through to be approved on Dogtag, the SAN gets removed.  How do I
> setup a profile in Dogtag to allow this CSR with SAN get approved?
>
> Thanks
> ian
> _______________________________________________
> Pki-users mailing list
> Pki-users(at)redhat . com
> https :  /  / www . redhat . com / mailman / listinfo / pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161115/6b27bcc6/attachment.htm>

More information about the Pki-users mailing list