[Pki-users] SubjectAltName - how?

Ian Koenig iguy at ionsphere.org
Wed Nov 16 20:40:17 UTC 2016 

I've tried a variety ways to get this to go into the system and either I'm
missing something obvious or there's something buggy going on.  I figured
out the test system that wasn't giving me inputs to fill in on the request
was an older version 10.2.5.   I've updated that system to 10.3.3.

* pki ca-profile-show --output caServerCert.cfg --raw caServerCert
* pki ca-profile-disable caServerCert
Edit the file and add in the following lines to the bottom of the profile:
[...---...]
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false
policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.10.default.name=User Supplied Extension Default
policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17
[...---...]
NOTE:  I changed the policyset to match what the rest of the profile said
in the default caServerCert profile from 10.3.3 install.  From
ServerProfile to serverCertSet.
* pki ca-profile-add caServerCert.cfg --raw

Then go to the WebUI and submit a request that has SAN entries in it.
After I approve it, there are no SANs in the cert.

What am I missing?


Thanks
ian


On Tue, 15 Nov 2016 at 12:57 Ian Koenig <iguy at ionsphere.org> wrote:

> Thanks Supper.   Is there a clear documentation on how to create a new
> certificate profile that is visible via the WebUI?
>
> I tried this process:
>
> 1) pki -C client_password.txt -n caadmin ca-server-show --output
> caServerSANCert.cfg --raw caServerCert
>
>    a) Add in the lines you specified above to caServerSANCert.cfg
>
>    b) Update the line profileID to be caServerSANCert
>
> 4) pki -C client_password.txt -n caadmin ca-profile-add --raw
> caServerSANCert.cfg
>
> 5) Approve this new profile.
>
> What happens when I attempt to issue a cert request via the WebUI, there
> are no inputs for me to fill in like the default caServerCert profile.
> Just some text about Cert profile and description, then Inputs in bold and
> a Submit button.
>
>
> Thanks
> ian
>
>
> On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <
> Florian.Supper at s-itsolutions.at> wrote:
>
> Hi,
> You have to add the following lines into your certificate profile..
>
> policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
> policyset.ServerProfile.10.constraint.name=No Constraint
> policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
> policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
> policyset.ServerProfile.10.default.name=User Supplied Extension Default
> policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
>
> Then the SAN's will be added to the certificate.
>
> BR
> Florian
>
> -----Ursprüngliche Nachricht-----
> Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
> Im Auftrag von Ian Koenig
> Gesendet: Montag, 14. November 2016 19:18
> An: pki-users at redhat.com
> Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
>
> Hi all,
>
> I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS
> 7 . 2
> (build 1511) system.
>
> I can request and approve various different certs through the system
> successfully and have it working properly with SSL client certificates in
> Chrome.
>
> What I haven't been able to figure out is how to generate a server SSL Cert
> that has SubjectAltName entries in it.   An example cnf file I have tried
> is
>
> [ .  .  . ]
> [ v3_req ]
>
> # Extensions to add to a certificate request
>
> basicConstraints = CA : FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> subjectAltName = (at)alt_names
>
> [ alt_names ]
> DNS . 1 = demo . myhome . com
> DNS . 2 = demo
> DNS . 3 = demo . prod . myhome . com
>
> [ .  .  . ]
>
> This generates a valid CSR with the SubjectAltNames in it.   However when I
> send it through to be approved on Dogtag, the SAN gets removed.  How do I
> setup a profile in Dogtag to allow this CSR with SAN get approved?
>
> Thanks
> ian
> _______________________________________________
> Pki-users mailing list
> Pki-users(at)redhat . com
> https :  /  / www . redhat . com / mailman / listinfo / pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161116/60afd2e2/attachment.htm>

More information about the Pki-users mailing list