From spawn at rloteck.net Wed Jan 11 00:35:36 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Tue, 10 Jan 2017 16:35:36 -0800 Subject: [Pki-users] SAN on Certificate Message-ID: Hi Everyone, I am sorry for asking this question again, but the last time I asked it, I was confused with the answer. I am trying to create a "certificate profile" that will support 3 to 4 SAN (Subject Alternative Names), since the current profiles do not have support for this by default. I was trying to duplicate the "Manual Server Certificate Enrollment" profile, and adding SAN support. I tried using this as a guild: https://access.redhat.com/documentation/en-US/Red_Hat_ Certificate_System/8.1/html/Admin_Guide/Certificate_and_ CRL_Extensions.html#Subject_Alternative_Name_Extension_Default and https://access.redhat.com/documentation/en-US/Red_Hat_ Certificate_System/8.1/html/Admin_Guide/Managing_Subject_ Names_and_Subject_Alternative_Names.html This is how the profile looks like: policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name =No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name =Subject Alternative Name Extension Default policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0= policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 The CSR looks like this: *Common Name:* node1.example.com *Subject Alternative Names:* test.example.com, test1.example.com, test2.example.com *Organization:* Test Corp *Organization Unit:* IT Department *Locality:* LA *State:* OR *Country:* US I am doing to do this instead of using wildcard certs. Thanks, Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: From spawn at rloteck.net Thu Jan 12 22:36:36 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Thu, 12 Jan 2017 22:36:36 +0000 Subject: [Pki-users] SAN on Certificate In-Reply-To: References: Message-ID: Any takers? On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa wrote: > Hi Everyone, > > I am sorry for asking this question again, but the last time I asked > it, I was confused with the answer. I am trying to create a "certificate > profile" that will support 3 to 4 SAN (Subject Alternative Names), since > the current profiles do not have support for this by default. I was trying > to duplicate the "Manual Server Certificate Enrollment" profile, and adding > SAN support. I tried using this as a guild: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > and > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > Names.html > > This is how the profile looks like: > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > policyset.serverCertSet.9.constraint.name > =No Constraint > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > policyset.serverCertSet.9.default.name > =Subject Alternative Name > Extension > Default > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > policyset.serverCertSet.9.default.params.subjAltExtPattern_0= > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > The CSR looks like this: > > *Common Name:* node1.example.com > *Subject Alternative Names:* test.example.com, test1.example.com, > test2.example.com > *Organization:* Test Corp > *Organization Unit:* IT Department > *Locality:* LA > *State:* OR > *Country:* US > > I am doing to do this instead of using wildcard certs. > > Thanks, > > Rafael > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Jan 12 23:05:45 2017 From: jmagne at redhat.com (John Magne) Date: Thu, 12 Jan 2017 18:05:45 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: Message-ID: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> Hi: Is there any way you can reproduce the confusing answer you got, which may give us a head start? ----- Original Message ----- > From: "Rafael Leiva-Ochoa" > To: pki-users at redhat.com > Sent: Thursday, January 12, 2017 2:36:36 PM > Subject: Re: [Pki-users] SAN on Certificate > > Any takers? > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < spawn at rloteck.net > > wrote: > > > > Hi Everyone, > > I am sorry for asking this question again, but the last time I asked it, I > was confused with the answer. I am trying to create a "certificate profile" > that will support 3 to 4 SAN (Subject Alternative Names), since the current > profiles do not have support for this by default. I was trying to duplicate > the "Manual Server Certificate Enrollment" profile, and adding SAN support. > I tried using this as a guild: > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > and > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > Names .html > > This is how the profile looks like: > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > policyset.serverCertSet.9.constraint. name =No Constraint > policyset.serverCertSet.9. default.class_id= subjectAltNameExtDefaultImpl > policyset.serverCertSet.9.default. name = Subject Alternative Name Extension > Default > policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > The CSR looks like this: > > *Common Name :* node1.example.com > * Subject Alternative Names :* test.example.com , test1.example.com , > test2.example.com > *Organization:* Test Corp > *Organization Unit:* IT Department > *Locality:* LA > *State:* OR > *Country:* US > > I am doing to do this instead of using wildcard certs. > > Thanks, > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From spawn at rloteck.net Thu Jan 12 23:08:50 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Thu, 12 Jan 2017 23:08:50 +0000 Subject: [Pki-users] SAN on Certificate In-Reply-To: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> Message-ID: I can send you the email that I got from the list? Will this be good? Thanks, R On Thu, Jan 12, 2017 at 3:05 PM John Magne wrote: > Hi: > > > > Is there any way you can reproduce the confusing answer you got, which may > give us a head start? > > > > > > > > > > > > ----- Original Message ----- > > > From: "Rafael Leiva-Ochoa" > > > To: pki-users at redhat.com > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > Any takers? > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < spawn at rloteck.net > > > > wrote: > > > > > > > > > > > > Hi Everyone, > > > > > > I am sorry for asking this question again, but the last time I asked it, > I > > > was confused with the answer. I am trying to create a "certificate > profile" > > > that will support 3 to 4 SAN (Subject Alternative Names), since the > current > > > profiles do not have support for this by default. I was trying to > duplicate > > > the "Manual Server Certificate Enrollment" profile, and adding SAN > support. > > > I tried using this as a guild: > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > and > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > Names .html > > > > > > This is how the profile looks like: > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > policyset.serverCertSet.9. default.class_id= subjectAltNameExtDefaultImpl > > > policyset.serverCertSet.9.default. name = Subject Alternative Name > Extension > > > Default > > > policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > > > policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > The CSR looks like this: > > > > > > *Common Name :* node1.example.com > > > * Subject Alternative Names :* test.example.com , test1.example.com , > > > test2.example.com > > > *Organization:* Test Corp > > > *Organization Unit:* IT Department > > > *Locality:* LA > > > *State:* OR > > > *Country:* US > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > Thanks, > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Jan 12 23:25:41 2017 From: jmagne at redhat.com (John Magne) Date: Thu, 12 Jan 2017 18:25:41 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> Message-ID: <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> Yeah sure, it just forward it to the list. ----- Original Message ----- From: "Rafael Leiva-Ochoa" To: "John Magne" Cc: pki-users at redhat.com Sent: Thursday, January 12, 2017 3:08:50 PM Subject: Re: [Pki-users] SAN on Certificate I can send you the email that I got from the list? Will this be good? Thanks, R On Thu, Jan 12, 2017 at 3:05 PM John Magne wrote: > Hi: > > > > Is there any way you can reproduce the confusing answer you got, which may > give us a head start? > > > > > > > > > > > > ----- Original Message ----- > > > From: "Rafael Leiva-Ochoa" > > > To: pki-users at redhat.com > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > Any takers? > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < spawn at rloteck.net > > > > wrote: > > > > > > > > > > > > Hi Everyone, > > > > > > I am sorry for asking this question again, but the last time I asked it, > I > > > was confused with the answer. I am trying to create a "certificate > profile" > > > that will support 3 to 4 SAN (Subject Alternative Names), since the > current > > > profiles do not have support for this by default. I was trying to > duplicate > > > the "Manual Server Certificate Enrollment" profile, and adding SAN > support. > > > I tried using this as a guild: > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > and > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > Names .html > > > > > > This is how the profile looks like: > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > policyset.serverCertSet.9. default.class_id= subjectAltNameExtDefaultImpl > > > policyset.serverCertSet.9.default. name = Subject Alternative Name > Extension > > > Default > > > policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > > > policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > The CSR looks like this: > > > > > > *Common Name :* node1.example.com > > > * Subject Alternative Names :* test.example.com , test1.example.com , > > > test2.example.com > > > *Organization:* Test Corp > > > *Organization Unit:* IT Department > > > *Locality:* LA > > > *State:* OR > > > *Country:* US > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > Thanks, > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > From spawn at rloteck.net Thu Jan 12 23:38:11 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Thu, 12 Jan 2017 23:38:11 +0000 Subject: [Pki-users] SAN on Certificate In-Reply-To: <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> Message-ID: Here is the last one I got... "The patterns are defined, "hard-coded", as part of the profile configuration. Therefore the number of SANs for any given profile is fixed (if you are using the SubjectAltNameExtDefault class). Each pattern gets formatted using information available in the request. See the documentation linked below for a table of the variables you can include in these patterns. I cannot see a way to propagate arbitrary domain names, other than the CN (which is available as the $request.req_subject_name.cn$ variable), into SAN names, via SubjectAltNameExtDefault." You also responded with the links I have on this email. The original email subject on the list was: "SAN Feild in the MSCE profile". I think you told me last time you were too busy to help. Thanks, R On Thu, Jan 12, 2017 at 3:25 PM John Magne wrote: > Yeah sure, it just forward it to the list. > > > > ----- Original Message ----- > > From: "Rafael Leiva-Ochoa" > > To: "John Magne" > > Cc: pki-users at redhat.com > > Sent: Thursday, January 12, 2017 3:08:50 PM > > Subject: Re: [Pki-users] SAN on Certificate > > > > I can send you the email that I got from the list? Will this be good? > > > > Thanks, > > > > R > > On Thu, Jan 12, 2017 at 3:05 PM John Magne wrote: > > > > > Hi: > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you got, which > may > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > To: pki-users at redhat.com > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > Any takers? > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < spawn at rloteck.net > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time I asked > it, > > > I > > > > > > > was confused with the answer. I am trying to create a "certificate > > > profile" > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), since the > > > current > > > > > > > profiles do not have support for this by default. I was trying to > > > duplicate > > > > > > > the "Manual Server Certificate Enrollment" profile, and adding SAN > > > support. > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > Names .html > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > policyset.serverCertSet.9. default.class_id= > subjectAltNameExtDefaultImpl > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative Name > > > Extension > > > > > > > Default > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > * Subject Alternative Names :* test.example.com , test1.example.com , > > > > > > > test2.example.com > > > > > > > *Organization:* Test Corp > > > > > > > *Organization Unit:* IT Department > > > > > > > *Locality:* LA > > > > > > > *State:* OR > > > > > > > *Country:* US > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Jan 13 00:53:26 2017 From: jmagne at redhat.com (John Magne) Date: Thu, 12 Jan 2017 19:53:26 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> Message-ID: <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> Hi: Not to sound like a broken record and say the same thing again, but I looked at this link you printed: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default Note in there for the custom profile it has this setting: policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 Then for each "index" it has some different settings that determine how the info is gathered for that particular SAN, like this: policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ and policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ Off the top of my head, I"m not sure where it's getting those "values" from. I'd have to go try it myself. But to start with you might want to just configure your profile in this kind of way, and then we can figure out any problems with where the data is coming from. It may take a quick look at the code to see what is going on there. thanks, jack As a first test, if you are not providing the proper data for say 2 or 3 sans, I suspect that the final output may show that you tried to set 3 sans but the data is null or something, thanks, jack ----- Original Message ----- > From: "Rafael Leiva-Ochoa" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Thursday, January 12, 2017 3:38:11 PM > Subject: Re: [Pki-users] SAN on Certificate > > Here is the last one I got... > > "The patterns are defined, "hard-coded", as part of the profile > configuration. Therefore the number of SANs for any given profile > is fixed (if you are using the SubjectAltNameExtDefault class). > Each pattern gets formatted using information available in the > request. See the documentation linked below for a table of the > variables you can include in these patterns. > > I cannot see a way to propagate arbitrary domain names, other than > the CN (which is available as the $request.req_subject_name.cn$ > variable), into SAN names, via SubjectAltNameExtDefault." > > You also responded with the links I have on this email. > > The original email subject on the list was: "SAN Feild in the MSCE > profile". I think you told me last time you were too busy to help. > > Thanks, > > R > On Thu, Jan 12, 2017 at 3:25 PM John Magne wrote: > > > Yeah sure, it just forward it to the list. > > > > > > > > ----- Original Message ----- > > > > From: "Rafael Leiva-Ochoa" > > > > To: "John Magne" > > > > Cc: pki-users at redhat.com > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > I can send you the email that I got from the list? Will this be good? > > > > > > > > Thanks, > > > > > > > > R > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne wrote: > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you got, which > > may > > > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > To: pki-users at redhat.com > > > > > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > Any takers? > > > > > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < spawn at rloteck.net > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time I asked > > it, > > > > > I > > > > > > > > > > > was confused with the answer. I am trying to create a "certificate > > > > > profile" > > > > > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), since the > > > > > current > > > > > > > > > > > profiles do not have support for this by default. I was trying to > > > > > duplicate > > > > > > > > > > > the "Manual Server Certificate Enrollment" profile, and adding SAN > > > > > support. > > > > > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > > > > > Names .html > > > > > > > > > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > > > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > > > > > policyset.serverCertSet.9. default.class_id= > > subjectAltNameExtDefaultImpl > > > > > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative Name > > > > > Extension > > > > > > > > > > > Default > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > > > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > > > > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > > > > > * Subject Alternative Names :* test.example.com , test1.example.com , > > > > > > > > > > > test2.example.com > > > > > > > > > > > *Organization:* Test Corp > > > > > > > > > > > *Organization Unit:* IT Department > > > > > > > > > > > *Locality:* LA > > > > > > > > > > > *State:* OR > > > > > > > > > > > *Country:* US > > > > > > > > > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > From spawn at rloteck.net Fri Jan 13 00:57:58 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Fri, 13 Jan 2017 00:57:58 +0000 Subject: [Pki-users] SAN on Certificate In-Reply-To: <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> Message-ID: On the CSR there are SAN input fields...would it get them from there using the settings you stated below? On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: > Hi: > > > > Not to sound like a broken record and say the same thing again, but > > I looked at this link you printed: > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > Note in there for the custom profile it has this setting: > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > > > > Then for each "index" it has some different settings that determine how > the info is gathered for that particular SAN, like this: > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ > > > > and > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true > > policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ > > > > > > Off the top of my head, I"m not sure where it's getting those "values" > from. I'd have to go try it myself. > > But to start with you might want to just configure your profile in this > kind of way, and then we can figure out > > any problems with where the data is coming from. > > > > It may take a quick look at the code to see what is going on there. > > > > thanks, > > jack > > > > As a first test, if you are not providing the proper data for say 2 or 3 > sans, I suspect that the final output may show that you tried > > to set 3 sans but the data is null or something, > > > > thanks, > > jack > > > > ----- Original Message ----- > > > From: "Rafael Leiva-Ochoa" > > > To: "John Magne" > > > Cc: pki-users at redhat.com > > > Sent: Thursday, January 12, 2017 3:38:11 PM > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > Here is the last one I got... > > > > > > "The patterns are defined, "hard-coded", as part of the profile > > > configuration. Therefore the number of SANs for any given profile > > > is fixed (if you are using the SubjectAltNameExtDefault class). > > > Each pattern gets formatted using information available in the > > > request. See the documentation linked below for a table of the > > > variables you can include in these patterns. > > > > > > I cannot see a way to propagate arbitrary domain names, other than > > > the CN (which is available as the $request.req_subject_name.cn$ > > > variable), into SAN names, via SubjectAltNameExtDefault." > > > > > > You also responded with the links I have on this email. > > > > > > The original email subject on the list was: "SAN Feild in the MSCE > > > profile". I think you told me last time you were too busy to help. > > > > > > Thanks, > > > > > > R > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne wrote: > > > > > > > Yeah sure, it just forward it to the list. > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > To: "John Magne" > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > I can send you the email that I got from the list? Will this be good? > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > R > > > > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne wrote: > > > > > > > > > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you got, > which > > > > may > > > > > > > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > To: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any takers? > > > > > > > > > > > > > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > spawn at rloteck.net > > > > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time I > asked > > > > it, > > > > > > > > > I > > > > > > > > > > > > > > > > > > > was confused with the answer. I am trying to create a "certificate > > > > > > > > > profile" > > > > > > > > > > > > > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), since the > > > > > > > > > current > > > > > > > > > > > > > > > > > > > profiles do not have support for this by default. I was trying to > > > > > > > > > duplicate > > > > > > > > > > > > > > > > > > > the "Manual Server Certificate Enrollment" profile, and adding SAN > > > > > > > > > support. > > > > > > > > > > > > > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > > > > > > > > > > > > > Names .html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.class_id= > > > > subjectAltNameExtDefaultImpl > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative Name > > > > > > > > > Extension > > > > > > > > > > > > > > > > > > > Default > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > subjAltNameExtCritical=false > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > > > > > > > > > > > > > * Subject Alternative Names :* test.example.com , > test1.example.com , > > > > > > > > > > > > > > > > > > > test2.example.com > > > > > > > > > > > > > > > > > > > *Organization:* Test Corp > > > > > > > > > > > > > > > > > > > *Organization Unit:* IT Department > > > > > > > > > > > > > > > > > > > *Locality:* LA > > > > > > > > > > > > > > > > > > > *State:* OR > > > > > > > > > > > > > > > > > > > *Country:* US > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Jan 13 18:38:13 2017 From: jmagne at redhat.com (John Magne) Date: Fri, 13 Jan 2017 13:38:13 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> Message-ID: <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> Yes, that is the idea. If the code is able to pull info out of the request with those id's, as in the profile snippet, it will put them in the cert. Might you let us know what kind of csr you are using? Is it something external, or are you using the gui? ----- Original Message ----- From: "Rafael Leiva-Ochoa" To: "John Magne" Cc: pki-users at redhat.com Sent: Thursday, January 12, 2017 4:57:58 PM Subject: Re: [Pki-users] SAN on Certificate On the CSR there are SAN input fields...would it get them from there using the settings you stated below? On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: > Hi: > > > > Not to sound like a broken record and say the same thing again, but > > I looked at this link you printed: > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > Note in there for the custom profile it has this setting: > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > > > > Then for each "index" it has some different settings that determine how > the info is gathered for that particular SAN, like this: > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ > > > > and > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true > > policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ > > > > > > Off the top of my head, I"m not sure where it's getting those "values" > from. I'd have to go try it myself. > > But to start with you might want to just configure your profile in this > kind of way, and then we can figure out > > any problems with where the data is coming from. > > > > It may take a quick look at the code to see what is going on there. > > > > thanks, > > jack > > > > As a first test, if you are not providing the proper data for say 2 or 3 > sans, I suspect that the final output may show that you tried > > to set 3 sans but the data is null or something, > > > > thanks, > > jack > > > > ----- Original Message ----- > > > From: "Rafael Leiva-Ochoa" > > > To: "John Magne" > > > Cc: pki-users at redhat.com > > > Sent: Thursday, January 12, 2017 3:38:11 PM > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > Here is the last one I got... > > > > > > "The patterns are defined, "hard-coded", as part of the profile > > > configuration. Therefore the number of SANs for any given profile > > > is fixed (if you are using the SubjectAltNameExtDefault class). > > > Each pattern gets formatted using information available in the > > > request. See the documentation linked below for a table of the > > > variables you can include in these patterns. > > > > > > I cannot see a way to propagate arbitrary domain names, other than > > > the CN (which is available as the $request.req_subject_name.cn$ > > > variable), into SAN names, via SubjectAltNameExtDefault." > > > > > > You also responded with the links I have on this email. > > > > > > The original email subject on the list was: "SAN Feild in the MSCE > > > profile". I think you told me last time you were too busy to help. > > > > > > Thanks, > > > > > > R > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne wrote: > > > > > > > Yeah sure, it just forward it to the list. > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > To: "John Magne" > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > I can send you the email that I got from the list? Will this be good? > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > R > > > > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne wrote: > > > > > > > > > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you got, > which > > > > may > > > > > > > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > To: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any takers? > > > > > > > > > > > > > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > spawn at rloteck.net > > > > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time I > asked > > > > it, > > > > > > > > > I > > > > > > > > > > > > > > > > > > > was confused with the answer. I am trying to create a "certificate > > > > > > > > > profile" > > > > > > > > > > > > > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), since the > > > > > > > > > current > > > > > > > > > > > > > > > > > > > profiles do not have support for this by default. I was trying to > > > > > > > > > duplicate > > > > > > > > > > > > > > > > > > > the "Manual Server Certificate Enrollment" profile, and adding SAN > > > > > > > > > support. > > > > > > > > > > > > > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > > > > > > > > > > > > > Names .html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.class_id= > > > > subjectAltNameExtDefaultImpl > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative Name > > > > > > > > > Extension > > > > > > > > > > > > > > > > > > > Default > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > subjAltNameExtCritical=false > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > > > > > > > > > > > > > * Subject Alternative Names :* test.example.com , > test1.example.com , > > > > > > > > > > > > > > > > > > > test2.example.com > > > > > > > > > > > > > > > > > > > *Organization:* Test Corp > > > > > > > > > > > > > > > > > > > *Organization Unit:* IT Department > > > > > > > > > > > > > > > > > > > *Locality:* LA > > > > > > > > > > > > > > > > > > > *State:* OR > > > > > > > > > > > > > > > > > > > *Country:* US > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From spawn at rloteck.net Fri Jan 13 18:39:54 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Fri, 13 Jan 2017 18:39:54 +0000 Subject: [Pki-users] SAN on Certificate In-Reply-To: <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> References: <1837100061.7373295.1484262345943.JavaMail.zimbra@redhat.com> <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> Message-ID: It's a GUI. Does it matter? Would it make a difference if I use OpenSSL to generate the CSR ? On Fri, Jan 13, 2017 at 10:38 AM John Magne wrote: > Yes, that is the idea. > > > > If the code is able to pull info out of the request with those id's, as in > the profile snippet, > > it will put them in the cert. > > > > > > Might you let us know what kind of csr you are using? Is it something > external, or are you using the gui? > > > > > > > > ----- Original Message ----- > > From: "Rafael Leiva-Ochoa" > > To: "John Magne" > > Cc: pki-users at redhat.com > > Sent: Thursday, January 12, 2017 4:57:58 PM > > Subject: Re: [Pki-users] SAN on Certificate > > > > On the CSR there are SAN input fields...would it get them from there using > > the settings you stated below? > > > > On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: > > > > > Hi: > > > > > > > > > > > > Not to sound like a broken record and say the same thing again, but > > > > > > I looked at this link you printed: > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > Note in there for the custom profile it has this setting: > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > > > > > > > > > > > > Then for each "index" it has some different settings that determine how > > > the info is gathered for that particular SAN, like this: > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ > > > > > > > > > > > > and > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ > > > > > > > > > > > > > > > > > > Off the top of my head, I"m not sure where it's getting those "values" > > > from. I'd have to go try it myself. > > > > > > But to start with you might want to just configure your profile in this > > > kind of way, and then we can figure out > > > > > > any problems with where the data is coming from. > > > > > > > > > > > > It may take a quick look at the code to see what is going on there. > > > > > > > > > > > > thanks, > > > > > > jack > > > > > > > > > > > > As a first test, if you are not providing the proper data for say 2 or 3 > > > sans, I suspect that the final output may show that you tried > > > > > > to set 3 sans but the data is null or something, > > > > > > > > > > > > thanks, > > > > > > jack > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > To: "John Magne" > > > > > > > Cc: pki-users at redhat.com > > > > > > > Sent: Thursday, January 12, 2017 3:38:11 PM > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > Here is the last one I got... > > > > > > > > > > > > > > "The patterns are defined, "hard-coded", as part of the profile > > > > > > > configuration. Therefore the number of SANs for any given profile > > > > > > > is fixed (if you are using the SubjectAltNameExtDefault class). > > > > > > > Each pattern gets formatted using information available in the > > > > > > > request. See the documentation linked below for a table of the > > > > > > > variables you can include in these patterns. > > > > > > > > > > > > > > I cannot see a way to propagate arbitrary domain names, other than > > > > > > > the CN (which is available as the $request.req_subject_name.cn$ > > > > > > > variable), into SAN names, via SubjectAltNameExtDefault." > > > > > > > > > > > > > > You also responded with the links I have on this email. > > > > > > > > > > > > > > The original email subject on the list was: "SAN Feild in the MSCE > > > > > > > profile". I think you told me last time you were too busy to help. > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > R > > > > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne wrote: > > > > > > > > > > > > > > > Yeah sure, it just forward it to the list. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > To: "John Magne" > > > > > > > > > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I can send you the email that I got from the list? Will this be > good? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > R > > > > > > > > > > > > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you got, > > > which > > > > > > > > may > > > > > > > > > > > > > > > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any takers? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > > > spawn at rloteck.net > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time I > > > asked > > > > > > > > it, > > > > > > > > > > > > > > > > > I > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > was confused with the answer. I am trying to create a > "certificate > > > > > > > > > > > > > > > > > profile" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), since > the > > > > > > > > > > > > > > > > > current > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > profiles do not have support for this by default. I was trying to > > > > > > > > > > > > > > > > > duplicate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the "Manual Server Certificate Enrollment" profile, and adding > SAN > > > > > > > > > > > > > > > > > support. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Names .html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.class_id= > > > > > > > > subjectAltNameExtDefaultImpl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative > Name > > > > > > > > > > > > > > > > > Extension > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > > > subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ > 0=DNSName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > > > subjAltNameExtCritical=false > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * Subject Alternative Names :* test.example.com , > > > test1.example.com , > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > test2.example.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Organization:* Test Corp > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Organization Unit:* IT Department > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Locality:* LA > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *State:* OR > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Country:* US > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Jan 13 19:43:52 2017 From: jmagne at redhat.com (John Magne) Date: Fri, 13 Jan 2017 14:43:52 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> Message-ID: <33285289.7609028.1484336632823.JavaMail.zimbra@redhat.com> OK: The reason to ask about GUI, is because this make it easier for us to make sure the request has the info needed. Take a look at this one: /var/lib/pki-ca/profiles/ca/DomainController.cfg This profile has the default for 2 SANs as in this snippet. caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject Alt Name Constraint caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltNameExtCritical=false caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtType_1=OtherName caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 Note the NumGNs is set to 2. It also uses parameters from the GUI to populate the values. If you have more non standard inputs you want to put in your profile, I believe there is a user defined input that can be used. This way you can give it any id you want and the profile can be told to get that particular value to put in place. ----- Original Message ----- > From: "Rafael Leiva-Ochoa" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Friday, January 13, 2017 10:39:54 AM > Subject: Re: [Pki-users] SAN on Certificate > > It's a GUI. > > Does it matter? Would it make a difference if I use OpenSSL to generate > the CSR ? > On Fri, Jan 13, 2017 at 10:38 AM John Magne wrote: > > > Yes, that is the idea. > > > > > > > > If the code is able to pull info out of the request with those id's, as in > > the profile snippet, > > > > it will put them in the cert. > > > > > > > > > > > > Might you let us know what kind of csr you are using? Is it something > > external, or are you using the gui? > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Rafael Leiva-Ochoa" > > > > To: "John Magne" > > > > Cc: pki-users at redhat.com > > > > Sent: Thursday, January 12, 2017 4:57:58 PM > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > On the CSR there are SAN input fields...would it get them from there using > > > > the settings you stated below? > > > > > > > > On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > Not to sound like a broken record and say the same thing again, but > > > > > > > > > > I looked at this link you printed: > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > Note in there for the custom profile it has this setting: > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > > > > > > > > > > > > > > > > > > > > Then for each "index" it has some different settings that determine how > > > > > the info is gathered for that particular SAN, like this: > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Off the top of my head, I"m not sure where it's getting those "values" > > > > > from. I'd have to go try it myself. > > > > > > > > > > But to start with you might want to just configure your profile in this > > > > > kind of way, and then we can figure out > > > > > > > > > > any problems with where the data is coming from. > > > > > > > > > > > > > > > > > > > > It may take a quick look at the code to see what is going on there. > > > > > > > > > > > > > > > > > > > > thanks, > > > > > > > > > > jack > > > > > > > > > > > > > > > > > > > > As a first test, if you are not providing the proper data for say 2 or 3 > > > > > sans, I suspect that the final output may show that you tried > > > > > > > > > > to set 3 sans but the data is null or something, > > > > > > > > > > > > > > > > > > > > thanks, > > > > > > > > > > jack > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > To: "John Magne" > > > > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > > > > Sent: Thursday, January 12, 2017 3:38:11 PM > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > Here is the last one I got... > > > > > > > > > > > > > > > > > > > > > > "The patterns are defined, "hard-coded", as part of the profile > > > > > > > > > > > configuration. Therefore the number of SANs for any given profile > > > > > > > > > > > is fixed (if you are using the SubjectAltNameExtDefault class). > > > > > > > > > > > Each pattern gets formatted using information available in the > > > > > > > > > > > request. See the documentation linked below for a table of the > > > > > > > > > > > variables you can include in these patterns. > > > > > > > > > > > > > > > > > > > > > > I cannot see a way to propagate arbitrary domain names, other than > > > > > > > > > > > the CN (which is available as the $request.req_subject_name.cn$ > > > > > > > > > > > variable), into SAN names, via SubjectAltNameExtDefault." > > > > > > > > > > > > > > > > > > > > > > You also responded with the links I have on this email. > > > > > > > > > > > > > > > > > > > > > > The original email subject on the list was: "SAN Feild in the MSCE > > > > > > > > > > > profile". I think you told me last time you were too busy to help. > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > R > > > > > > > > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne wrote: > > > > > > > > > > > > > > > > > > > > > > > Yeah sure, it just forward it to the list. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > > > > > > To: "John Magne" > > > > > > > > > > > > > > > > > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I can send you the email that I got from the list? Will this be > > good? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > R > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you got, > > > > > which > > > > > > > > > > > > may > > > > > > > > > > > > > > > > > > > > > > > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any takers? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > > > > > spawn at rloteck.net > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time I > > > > > asked > > > > > > > > > > > > it, > > > > > > > > > > > > > > > > > > > > > > > > > I > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > was confused with the answer. I am trying to create a > > "certificate > > > > > > > > > > > > > > > > > > > > > > > > > profile" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), since > > the > > > > > > > > > > > > > > > > > > > > > > > > > current > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > profiles do not have support for this by default. I was trying to > > > > > > > > > > > > > > > > > > > > > > > > > duplicate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the "Manual Server Certificate Enrollment" profile, and adding > > SAN > > > > > > > > > > > > > > > > > > > > > > > > > support. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Names .html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.class_id= > > > > > > > > > > > > subjectAltNameExtDefaultImpl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative > > Name > > > > > > > > > > > > > > > > > > > > > > > > > Extension > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > > > > > subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0= > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ > > 0=DNSName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > > > > > subjAltNameExtCritical=false > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * Subject Alternative Names :* test.example.com , > > > > > test1.example.com , > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > test2.example.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Organization:* Test Corp > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Organization Unit:* IT Department > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Locality:* LA > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *State:* OR > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Country:* US > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From spawn at rloteck.net Fri Jan 13 19:45:14 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Fri, 13 Jan 2017 19:45:14 +0000 Subject: [Pki-users] SAN on Certificate In-Reply-To: <33285289.7609028.1484336632823.JavaMail.zimbra@redhat.com> References: <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> <33285289.7609028.1484336632823.JavaMail.zimbra@redhat.com> Message-ID: Thanks John I will give this a try tonight. On Fri, Jan 13, 2017 at 11:43 AM John Magne wrote: > OK: > > > > The reason to ask about GUI, is because this make it easier for us to make > sure > > the request has the info needed. > > > > Take a look at this one: /var/lib/pki-ca/profiles/ca/DomainController.cfg > > > > This profile has the default for 2 SANs as in this snippet. > > > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject Alt > Name Constraint > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltNameExtCritical=false > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtType_1=OtherName > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 > > > caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 > > > > > > Note the NumGNs is set to 2. It also uses parameters from the GUI to > populate the values. > > > > If you have more non standard inputs you want to put in your profile, I > believe there is a user defined > > input that can be used. This way you can give it any id you want and the > profile can be told to get that > > particular value to put in place. > > > > > > > > ----- Original Message ----- > > > From: "Rafael Leiva-Ochoa" > > > To: "John Magne" > > > Cc: pki-users at redhat.com > > > Sent: Friday, January 13, 2017 10:39:54 AM > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > It's a GUI. > > > > > > Does it matter? Would it make a difference if I use OpenSSL to generate > > > the CSR ? > > > On Fri, Jan 13, 2017 at 10:38 AM John Magne wrote: > > > > > > > Yes, that is the idea. > > > > > > > > > > > > > > > > If the code is able to pull info out of the request with those id's, > as in > > > > the profile snippet, > > > > > > > > it will put them in the cert. > > > > > > > > > > > > > > > > > > > > > > > > Might you let us know what kind of csr you are using? Is it something > > > > external, or are you using the gui? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > To: "John Magne" > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > Sent: Thursday, January 12, 2017 4:57:58 PM > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > On the CSR there are SAN input fields...would it get them from there > using > > > > > > > > the settings you stated below? > > > > > > > > > > > > > > > > On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: > > > > > > > > > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Not to sound like a broken record and say the same thing again, but > > > > > > > > > > > > > > > > > > I looked at this link you printed: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Note in there for the custom profile it has this setting: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Then for each "index" it has some different settings that determine > how > > > > > > > > > the info is gathered for that particular SAN, like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Off the top of my head, I"m not sure where it's getting those > "values" > > > > > > > > > from. I'd have to go try it myself. > > > > > > > > > > > > > > > > > > But to start with you might want to just configure your profile in > this > > > > > > > > > kind of way, and then we can figure out > > > > > > > > > > > > > > > > > > any problems with where the data is coming from. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It may take a quick look at the code to see what is going on there. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > thanks, > > > > > > > > > > > > > > > > > > jack > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > As a first test, if you are not providing the proper data for say 2 > or 3 > > > > > > > > > sans, I suspect that the final output may show that you tried > > > > > > > > > > > > > > > > > > to set 3 sans but the data is null or something, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > thanks, > > > > > > > > > > > > > > > > > > jack > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > To: "John Magne" > > > > > > > > > > > > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 3:38:11 PM > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Here is the last one I got... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "The patterns are defined, "hard-coded", as part of the profile > > > > > > > > > > > > > > > > > > > configuration. Therefore the number of SANs for any given profile > > > > > > > > > > > > > > > > > > > is fixed (if you are using the SubjectAltNameExtDefault class). > > > > > > > > > > > > > > > > > > > Each pattern gets formatted using information available in the > > > > > > > > > > > > > > > > > > > request. See the documentation linked below for a table of the > > > > > > > > > > > > > > > > > > > variables you can include in these patterns. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I cannot see a way to propagate arbitrary domain names, other than > > > > > > > > > > > > > > > > > > > the CN (which is available as the $request.req_subject_name.cn$ > > > > > > > > > > > > > > > > > > > variable), into SAN names, via SubjectAltNameExtDefault." > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > You also responded with the links I have on this email. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The original email subject on the list was: "SAN Feild in the MSCE > > > > > > > > > > > > > > > > > > > profile". I think you told me last time you were too busy to help. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > R > > > > > > > > > > > > > > > > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Yeah sure, it just forward it to the list. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: "John Magne" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I can send you the email that I got from the list? Will this be > > > > good? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > R > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Is there any way you can reproduce the confusing answer you > got, > > > > > > > > > which > > > > > > > > > > > > > > > > > > > > may > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > give us a head start? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: "Rafael Leiva-Ochoa" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any takers? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > > > > > > > > > spawn at rloteck.net > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am sorry for asking this question again, but the last time > I > > > > > > > > > asked > > > > > > > > > > > > > > > > > > > > it, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > was confused with the answer. I am trying to create a > > > > "certificate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > profile" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), > since > > > > the > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > current > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > profiles do not have support for this by default. I was > trying to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > duplicate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the "Manual Server Certificate Enrollment" profile, and > adding > > > > SAN > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > support. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I tried using this as a guild: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Names .html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is how the profile looks like: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. constraint.class_id= > noConstraintImpl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.class_id= > > > > > > > > > > > > > > > > > > > > subjectAltNameExtDefaultImpl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9.default. name = Subject Alternative > > > > Name > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Extension > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Default > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > > > > > > > > > subjAltExtGNEnable_0=true > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > subjAltExtPattern_0= > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ > > > > 0=DNSName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > > > > > > > > > subjAltNameExtCritical=false > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > policyset.serverCertSet.9. default.params. > subjAltNameNumGNs=1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The CSR looks like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Common Name :* node1.example.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * Subject Alternative Names :* test.example.com , > > > > > > > > > test1.example.com , > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > test2.example.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Organization:* Test Corp > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Organization Unit:* IT Department > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Locality:* LA > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *State:* OR > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Country:* US > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am doing to do this instead of using wildcard certs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From spawn at rloteck.net Tue Jan 17 05:05:59 2017 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Mon, 16 Jan 2017 21:05:59 -0800 Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <1482342290.7375218.1484263541401.JavaMail.zimbra@redhat.com> <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> <33285289.7609028.1484336632823.JavaMail.zimbra@redhat.com> Message-ID: I just tried creating a new profile, and I got the following error: [16/Jan/2017:20:57:44][localhost-startStop-1]: Start Profile Creation - caServerCertSAN4 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [16/Jan/2017:20:57:44][localhost-startStop-1]: ProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [16/Jan/2017:20:57:44][localhost-startStop-1]: BasicProfile: start init [16/Jan/2017:20:57:44][localhost-startStop-1]: WARNING, can't get default plugin id! [16/Jan/2017:20:57:44][localhost-startStop-1]: java.lang.NullPointerException java.lang.NullPointerException at com.netscape.cms.profile.common.BasicProfile.createProfilePolicy(BasicProfile.java:891) at com.netscape.cms.profile.common.BasicProfile.init(BasicProfile.java:347) at com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:126) at com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:85) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:581) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1215) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1140) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1027) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5038) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5348) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [16/Jan/2017:20:57:44][localhost-startStop-1]: Done Profile Creation - caServerCertSAN4 I made sure to add the following lines to the CS.cfg: profile.caServerCertSAN4.class_id=caEnrollImpl profile.caServerCertSAN4.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCertSAN4.cfg I attached the profile on this email. Any help would be great, Rafael On Fri, Jan 13, 2017 at 11:45 AM, Rafael Leiva-Ochoa wrote: > Thanks John I will give this a try tonight. > > > On Fri, Jan 13, 2017 at 11:43 AM John Magne wrote: > >> OK: >> >> >> >> The reason to ask about GUI, is because this make it easier for us to >> make sure >> >> the request has the info needed. >> >> >> >> Take a look at this one: /var/lib/pki-ca/profiles/ca/DomainController.cfg >> >> >> >> This profile has the default for 2 SANs as in this snippet. >> >> >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id= >> subjectAltNameExtDefaultImpl >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject Alt >> Name Constraint >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltNameExtCritical=false >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8. >> default.params.subjAltExtType_0=RFC822Name >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltExtPattern_0=$request.requestor_email$ >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltExtGNEnable_0=true >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8. >> default.params.subjAltExtType_1=OtherName >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltExtGNEnable_1=true >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltExtSource_1=UUID4 >> >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. >> subjAltNameNumGNs=2 >> >> >> >> >> >> Note the NumGNs is set to 2. It also uses parameters from the GUI to >> populate the values. >> >> >> >> If you have more non standard inputs you want to put in your profile, I >> believe there is a user defined >> >> input that can be used. This way you can give it any id you want and the >> profile can be told to get that >> >> particular value to put in place. >> >> >> >> >> >> >> >> ----- Original Message ----- >> >> > From: "Rafael Leiva-Ochoa" >> >> > To: "John Magne" >> >> > Cc: pki-users at redhat.com >> >> > Sent: Friday, January 13, 2017 10:39:54 AM >> >> > Subject: Re: [Pki-users] SAN on Certificate >> >> > >> >> > It's a GUI. >> >> > >> >> > Does it matter? Would it make a difference if I use OpenSSL to >> generate >> >> > the CSR ? >> >> > On Fri, Jan 13, 2017 at 10:38 AM John Magne wrote: >> >> > >> >> > > Yes, that is the idea. >> >> > > >> >> > > >> >> > > >> >> > > If the code is able to pull info out of the request with those id's, >> as in >> >> > > the profile snippet, >> >> > > >> >> > > it will put them in the cert. >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > Might you let us know what kind of csr you are using? Is it something >> >> > > external, or are you using the gui? >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > ----- Original Message ----- >> >> > > >> >> > > From: "Rafael Leiva-Ochoa" >> >> > > >> >> > > To: "John Magne" >> >> > > >> >> > > Cc: pki-users at redhat.com >> >> > > >> >> > > Sent: Thursday, January 12, 2017 4:57:58 PM >> >> > > >> >> > > Subject: Re: [Pki-users] SAN on Certificate >> >> > > >> >> > > >> >> > > >> >> > > On the CSR there are SAN input fields...would it get them from there >> using >> >> > > >> >> > > the settings you stated below? >> >> > > >> >> > > >> >> > > >> >> > > On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: >> >> > > >> >> > > >> >> > > >> >> > > > Hi: >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > Not to sound like a broken record and say the same thing again, but >> >> > > >> >> > > > >> >> > > >> >> > > > I looked at this link you printed: >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ >> Certificate_System/8.1/html/Admin_Guide/Certificate_and_ >> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > Note in there for the custom profile it has this setting: >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > Then for each "index" it has some different settings that determine >> how >> >> > > >> >> > > > the info is gathered for that particular SAN, like this: >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > policyset.serverCertSet.9.default.params. >> subjAltExtPattern_0=$request.requester_email$ >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > and >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > policyset.serverCertSet.9.default.params. >> subjAltExtPattern_1=$request.SAN1$ >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > Off the top of my head, I"m not sure where it's getting those >> "values" >> >> > > >> >> > > > from. I'd have to go try it myself. >> >> > > >> >> > > > >> >> > > >> >> > > > But to start with you might want to just configure your profile in >> this >> >> > > >> >> > > > kind of way, and then we can figure out >> >> > > >> >> > > > >> >> > > >> >> > > > any problems with where the data is coming from. >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > It may take a quick look at the code to see what is going on there. >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > thanks, >> >> > > >> >> > > > >> >> > > >> >> > > > jack >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > As a first test, if you are not providing the proper data for say 2 >> or 3 >> >> > > >> >> > > > sans, I suspect that the final output may show that you tried >> >> > > >> >> > > > >> >> > > >> >> > > > to set 3 sans but the data is null or something, >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > thanks, >> >> > > >> >> > > > >> >> > > >> >> > > > jack >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > > ----- Original Message ----- >> >> > > >> >> > > > >> >> > > >> >> > > > > From: "Rafael Leiva-Ochoa" >> >> > > >> >> > > > >> >> > > >> >> > > > > To: "John Magne" >> >> > > >> >> > > > >> >> > > >> >> > > > > Cc: pki-users at redhat.com >> >> > > >> >> > > > >> >> > > >> >> > > > > Sent: Thursday, January 12, 2017 3:38:11 PM >> >> > > >> >> > > > >> >> > > >> >> > > > > Subject: Re: [Pki-users] SAN on Certificate >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > Here is the last one I got... >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > "The patterns are defined, "hard-coded", as part of the profile >> >> > > >> >> > > > >> >> > > >> >> > > > > configuration. Therefore the number of SANs for any given profile >> >> > > >> >> > > > >> >> > > >> >> > > > > is fixed (if you are using the SubjectAltNameExtDefault class). >> >> > > >> >> > > > >> >> > > >> >> > > > > Each pattern gets formatted using information available in the >> >> > > >> >> > > > >> >> > > >> >> > > > > request. See the documentation linked below for a table of the >> >> > > >> >> > > > >> >> > > >> >> > > > > variables you can include in these patterns. >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > I cannot see a way to propagate arbitrary domain names, other than >> >> > > >> >> > > > >> >> > > >> >> > > > > the CN (which is available as the $request.req_subject_name.cn$ >> >> > > >> >> > > > >> >> > > >> >> > > > > variable), into SAN names, via SubjectAltNameExtDefault." >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > You also responded with the links I have on this email. >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > The original email subject on the list was: "SAN Feild in the MSCE >> >> > > >> >> > > > >> >> > > >> >> > > > > profile". I think you told me last time you were too busy to >> help. >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > Thanks, >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > R >> >> > > >> >> > > > >> >> > > >> >> > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne >> wrote: >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > Yeah sure, it just forward it to the list. >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > ----- Original Message ----- >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > From: "Rafael Leiva-Ochoa" >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > To: "John Magne" >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > Cc: pki-users at redhat.com >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > Subject: Re: [Pki-users] SAN on Certificate >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > I can send you the email that I got from the list? Will this be >> >> > > good? >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > Thanks, >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > R >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne >> >> > > wrote: >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > Hi: >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > Is there any way you can reproduce the confusing answer you >> got, >> >> > > >> >> > > > which >> >> > > >> >> > > > >> >> > > >> >> > > > > > may >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > give us a head start? >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > ----- Original Message ----- >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > From: "Rafael Leiva-Ochoa" >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > To: pki-users at redhat.com >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Subject: Re: [Pki-users] SAN on Certificate >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Any takers? >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < >> >> > > >> >> > > > spawn at rloteck.net >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > wrote: >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Hi Everyone, >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > I am sorry for asking this question again, but the last >> time I >> >> > > >> >> > > > asked >> >> > > >> >> > > > >> >> > > >> >> > > > > > it, >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > I >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > was confused with the answer. I am trying to create a >> >> > > "certificate >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > profile" >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), >> since >> >> > > the >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > current >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > profiles do not have support for this by default. I was >> trying to >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > duplicate >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > the "Manual Server Certificate Enrollment" profile, and >> adding >> >> > > SAN >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > support. >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > I tried using this as a guild: >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ >> Certificate_System/8.1/html/Admin_Guide/Certificate_and_ >> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > and >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ >> Certificate_System/8.1/html/Admin_Guide/Managing_Subject_ >> Names_and_Subject_Alternative_ >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Names .html >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > This is how the profile looks like: >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. constraint.class_id= >> noConstraintImpl >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. default.class_id= >> >> > > >> >> > > > >> >> > > >> >> > > > > > subjectAltNameExtDefaultImpl >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9.default. name = Subject >> Alternative >> >> > > Name >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > Extension >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Default >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. default.params. >> >> > > >> >> > > > subjAltExtGNEnable_0=true >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. default.params. >> subjAltExtPattern_0= >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ >> >> > > 0=DNSName >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. default.params. >> >> > > >> >> > > > subjAltNameExtCritical=false >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > policyset.serverCertSet.9. default.params. >> subjAltNameNumGNs=1 >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > The CSR looks like this: >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > *Common Name :* node1.example.com >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > * Subject Alternative Names :* test.example.com , >> >> > > >> >> > > > test1.example.com , >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > test2.example.com >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > *Organization:* Test Corp >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > *Organization Unit:* IT Department >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > *Locality:* LA >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > *State:* OR >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > *Country:* US >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > I am doing to do this instead of using wildcard certs. >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Thanks, >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Rafael >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > _______________________________________________ >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Pki-users mailing list >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > Pki-users at redhat.com >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > > >> >> > > >> >> > > > >> >> > > >> >> > > > >> >> > > >> >> > > >> >> > >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: profile.rtf Type: application/rtf Size: 6985 bytes Desc: not available URL: From jmagne at redhat.com Tue Jan 17 20:35:28 2017 From: jmagne at redhat.com (John Magne) Date: Tue, 17 Jan 2017 15:35:28 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <818666237.7385163.1484268806094.JavaMail.zimbra@redhat.com> <2065139592.7597205.1484332693616.JavaMail.zimbra@redhat.com> <33285289.7609028.1484336632823.JavaMail.zimbra@redhat.com> Message-ID: <126290916.9881522.1484685328354.JavaMail.zimbra@redhat.com> Taking a quick look, it appears that you are missing a setting with "class_id" in there. Just a suggestion. Often, for simplicity, when creating a new profile, we just copy over an old one and make the changes needed to create the new one. This can help to make sure that important settings are present. ----- Original Message ----- > From: "Rafael Leiva-Ochoa" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Monday, January 16, 2017 9:05:59 PM > Subject: Re: [Pki-users] SAN on Certificate > > I just tried creating a new profile, and I got the following error: > > [16/Jan/2017:20:57:44][localhost-startStop-1]: Start Profile Creation - > caServerCertSAN4 caEnrollImpl > com.netscape.cms.profile.common.CAEnrollProfile > > [16/Jan/2017:20:57:44][localhost-startStop-1]: ProfileSubsystem: initing > com.netscape.cms.profile.common.CAEnrollProfile > > [16/Jan/2017:20:57:44][localhost-startStop-1]: BasicProfile: start init > > [16/Jan/2017:20:57:44][localhost-startStop-1]: WARNING, can't get default > plugin id! > > [16/Jan/2017:20:57:44][localhost-startStop-1]: > java.lang.NullPointerException > > java.lang.NullPointerException > > at > com.netscape.cms.profile.common.BasicProfile.createProfilePolicy(BasicProfile.java:891) > > at com.netscape.cms.profile.common.BasicProfile.init(BasicProfile.java:347) > > at > com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:126) > > at > com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:85) > > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:581) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1215) > > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1140) > > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1027) > > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5038) > > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5348) > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753) > > at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) > > at java.security.AccessController.doPrivileged(Native Method) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) > > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) > > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > [16/Jan/2017:20:57:44][localhost-startStop-1]: Done Profile Creation - > caServerCertSAN4 > > > I made sure to add the following lines to the CS.cfg: > > profile.caServerCertSAN4.class_id=caEnrollImpl > > profile.caServerCertSAN4.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCertSAN4.cfg > > I attached the profile on this email. > > Any help would be great, > > Rafael > > On Fri, Jan 13, 2017 at 11:45 AM, Rafael Leiva-Ochoa > wrote: > > > Thanks John I will give this a try tonight. > > > > > > On Fri, Jan 13, 2017 at 11:43 AM John Magne wrote: > > > >> OK: > >> > >> > >> > >> The reason to ask about GUI, is because this make it easier for us to > >> make sure > >> > >> the request has the info needed. > >> > >> > >> > >> Take a look at this one: /var/lib/pki-ca/profiles/ca/DomainController.cfg > >> > >> > >> > >> This profile has the default for 2 SANs as in this snippet. > >> > >> > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id= > >> subjectAltNameExtDefaultImpl > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject Alt > >> Name Constraint > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltNameExtCritical=false > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8. > >> default.params.subjAltExtType_0=RFC822Name > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltExtPattern_0=$request.requestor_email$ > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltExtGNEnable_0=true > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8. > >> default.params.subjAltExtType_1=OtherName > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltExtGNEnable_1=true > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltExtSource_1=UUID4 > >> > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > >> subjAltNameNumGNs=2 > >> > >> > >> > >> > >> > >> Note the NumGNs is set to 2. It also uses parameters from the GUI to > >> populate the values. > >> > >> > >> > >> If you have more non standard inputs you want to put in your profile, I > >> believe there is a user defined > >> > >> input that can be used. This way you can give it any id you want and the > >> profile can be told to get that > >> > >> particular value to put in place. > >> > >> > >> > >> > >> > >> > >> > >> ----- Original Message ----- > >> > >> > From: "Rafael Leiva-Ochoa" > >> > >> > To: "John Magne" > >> > >> > Cc: pki-users at redhat.com > >> > >> > Sent: Friday, January 13, 2017 10:39:54 AM > >> > >> > Subject: Re: [Pki-users] SAN on Certificate > >> > >> > > >> > >> > It's a GUI. > >> > >> > > >> > >> > Does it matter? Would it make a difference if I use OpenSSL to > >> generate > >> > >> > the CSR ? > >> > >> > On Fri, Jan 13, 2017 at 10:38 AM John Magne wrote: > >> > >> > > >> > >> > > Yes, that is the idea. > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > If the code is able to pull info out of the request with those id's, > >> as in > >> > >> > > the profile snippet, > >> > >> > > > >> > >> > > it will put them in the cert. > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > Might you let us know what kind of csr you are using? Is it something > >> > >> > > external, or are you using the gui? > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > ----- Original Message ----- > >> > >> > > > >> > >> > > From: "Rafael Leiva-Ochoa" > >> > >> > > > >> > >> > > To: "John Magne" > >> > >> > > > >> > >> > > Cc: pki-users at redhat.com > >> > >> > > > >> > >> > > Sent: Thursday, January 12, 2017 4:57:58 PM > >> > >> > > > >> > >> > > Subject: Re: [Pki-users] SAN on Certificate > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > On the CSR there are SAN input fields...would it get them from there > >> using > >> > >> > > > >> > >> > > the settings you stated below? > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > On Thu, Jan 12, 2017 at 4:53 PM John Magne wrote: > >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > Hi: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > Not to sound like a broken record and say the same thing again, but > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > I looked at this link you printed: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ > >> Certificate_System/8.1/html/Admin_Guide/Certificate_and_ > >> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > Note in there for the custom profile it has this setting: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > Then for each "index" it has some different settings that determine > >> how > >> > >> > > > >> > >> > > > the info is gathered for that particular SAN, like this: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > policyset.serverCertSet.9.default.params. > >> subjAltExtPattern_0=$request.requester_email$ > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > and > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > policyset.serverCertSet.9.default.params. > >> subjAltExtPattern_1=$request.SAN1$ > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > Off the top of my head, I"m not sure where it's getting those > >> "values" > >> > >> > > > >> > >> > > > from. I'd have to go try it myself. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > But to start with you might want to just configure your profile in > >> this > >> > >> > > > >> > >> > > > kind of way, and then we can figure out > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > any problems with where the data is coming from. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > It may take a quick look at the code to see what is going on there. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > thanks, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > jack > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > As a first test, if you are not providing the proper data for say 2 > >> or 3 > >> > >> > > > >> > >> > > > sans, I suspect that the final output may show that you tried > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > to set 3 sans but the data is null or something, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > thanks, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > jack > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > ----- Original Message ----- > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > From: "Rafael Leiva-Ochoa" > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > To: "John Magne" > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > Cc: pki-users at redhat.com > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > Sent: Thursday, January 12, 2017 3:38:11 PM > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > Subject: Re: [Pki-users] SAN on Certificate > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > Here is the last one I got... > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > "The patterns are defined, "hard-coded", as part of the profile > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > configuration. Therefore the number of SANs for any given profile > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > is fixed (if you are using the SubjectAltNameExtDefault class). > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > Each pattern gets formatted using information available in the > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > request. See the documentation linked below for a table of the > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > variables you can include in these patterns. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > I cannot see a way to propagate arbitrary domain names, other than > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > the CN (which is available as the $request.req_subject_name.cn$ > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > variable), into SAN names, via SubjectAltNameExtDefault." > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > You also responded with the links I have on this email. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > The original email subject on the list was: "SAN Feild in the MSCE > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > profile". I think you told me last time you were too busy to > >> help. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > Thanks, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > R > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne > >> wrote: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > Yeah sure, it just forward it to the list. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > ----- Original Message ----- > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > From: "Rafael Leiva-Ochoa" > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > To: "John Magne" > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > Cc: pki-users at redhat.com > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > Subject: Re: [Pki-users] SAN on Certificate > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > I can send you the email that I got from the list? Will this be > >> > >> > > good? > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > Thanks, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > R > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne > >> > >> > > wrote: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > Hi: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > Is there any way you can reproduce the confusing answer you > >> got, > >> > >> > > > >> > >> > > > which > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > may > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > give us a head start? > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > ----- Original Message ----- > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > From: "Rafael Leiva-Ochoa" > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > To: pki-users at redhat.com > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Any takers? > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > >> > >> > > > >> > >> > > > spawn at rloteck.net > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > wrote: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Hi Everyone, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > I am sorry for asking this question again, but the last > >> time I > >> > >> > > > >> > >> > > > asked > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > it, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > I > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > was confused with the answer. I am trying to create a > >> > >> > > "certificate > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > profile" > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > that will support 3 to 4 SAN (Subject Alternative Names), > >> since > >> > >> > > the > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > current > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > profiles do not have support for this by default. I was > >> trying to > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > duplicate > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > the "Manual Server Certificate Enrollment" profile, and > >> adding > >> > >> > > SAN > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > support. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > I tried using this as a guild: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ > >> Certificate_System/8.1/html/Admin_Guide/Certificate_and_ > >> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > and > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ > >> Certificate_System/8.1/html/Admin_Guide/Managing_Subject_ > >> Names_and_Subject_Alternative_ > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Names .html > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > This is how the profile looks like: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. constraint.class_id= > >> noConstraintImpl > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9.constraint. name =No Constraint > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. default.class_id= > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > subjectAltNameExtDefaultImpl > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9.default. name = Subject > >> Alternative > >> > >> > > Name > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > Extension > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Default > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. default.params. > >> > >> > > > >> > >> > > > subjAltExtGNEnable_0=true > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. default.params. > >> subjAltExtPattern_0= > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_ > >> > >> > > 0=DNSName > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. default.params. > >> > >> > > > >> > >> > > > subjAltNameExtCritical=false > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > policyset.serverCertSet.9. default.params. > >> subjAltNameNumGNs=1 > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > The CSR looks like this: > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > *Common Name :* node1.example.com > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > * Subject Alternative Names :* test.example.com , > >> > >> > > > >> > >> > > > test1.example.com , > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > test2.example.com > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > *Organization:* Test Corp > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > *Organization Unit:* IT Department > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > *Locality:* LA > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > *State:* OR > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > *Country:* US > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > I am doing to do this instead of using wildcard certs. > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Thanks, > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Rafael > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > _______________________________________________ > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Pki-users mailing list > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > Pki-users at redhat.com > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > > >> > >> > > > >> > >> > > > >> > >> > > >> > >> > From jmagne at redhat.com Tue Jan 17 23:58:41 2017 From: jmagne at redhat.com (John Magne) Date: Tue, 17 Jan 2017 18:58:41 -0500 (EST) Subject: [Pki-users] SAN on Certificate In-Reply-To: References: <33285289.7609028.1484336632823.JavaMail.zimbra@redhat.com> <126290916.9881522.1484685328354.JavaMail.zimbra@redhat.com> <1898698422.10085188.1484693921489.JavaMail.zimbra@redhat.com> Message-ID: <683275028.10105369.1484697521046.JavaMail.zimbra@redhat.com> OK: This is probably your problem: policyset.serverCertSAN4Set.7.constraint.class_id=noConstraintImpl\ policyset.serverCertSAN4Set.7.constraint.name=No Constraint\ For #7 there, I think you missed a couple of settings from the original. There is something for default.class_id= blah. Now you don't have one and the system is complaining. Just have a look ----- Original Message ----- From: "Rafael Leiva-Ochoa" To: "John Magne" Sent: Tuesday, January 17, 2017 3:01:47 PM Subject: Re: [Pki-users] SAN on Certificate Yes, Here is the output fro the CS.cfg profile.caServerCertSAN4.class_id=caEnrollImpl profile.caServerCertSAN4.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCertSAN4.cfg and profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedL ogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caServerCertSAN4,caSubsystemCert,caOtherCert,caCACert,caCros sSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDir UserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnro llment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUs erEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTrans portCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCer t,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRene wal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserA uthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,ca TokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment On Tue, Jan 17, 2017 at 2:58 PM, John Magne wrote: > OK: > > Did you make sure you put your pofile in the profile.list entry in the > CS.cfg ? > > Just trying to rule some things out. > > ----- Original Message ----- > From: "Rafael Leiva-Ochoa" > To: "John Magne" > Sent: Tuesday, January 17, 2017 2:10:12 PM > Subject: Re: [Pki-users] SAN on Certificate > > auth.class_id= is blank by default. This was a direct copy from the > caServerCert.cfg > shared/profiles/ca/caServerCert.cfg> > I > just added the SAN info. > > > Rafael > > On Tue, Jan 17, 2017 at 12:35 PM, John Magne wrote: > > > Taking a quick look, it appears that you are missing a setting with > > "class_id" in there. > > > > Just a suggestion. Often, for simplicity, when creating a new profile, we > > just copy over an old one and make the changes > > needed to create the new one. This can help to make sure that important > > settings are present. > > > > > > > > ----- Original Message ----- > > > From: "Rafael Leiva-Ochoa" > > > To: "John Magne" > > > Cc: pki-users at redhat.com > > > Sent: Monday, January 16, 2017 9:05:59 PM > > > Subject: Re: [Pki-users] SAN on Certificate > > > > > > I just tried creating a new profile, and I got the following error: > > > > > > [16/Jan/2017:20:57:44][localhost-startStop-1]: Start Profile Creation > - > > > caServerCertSAN4 caEnrollImpl > > > com.netscape.cms.profile.common.CAEnrollProfile > > > > > > [16/Jan/2017:20:57:44][localhost-startStop-1]: ProfileSubsystem: > initing > > > com.netscape.cms.profile.common.CAEnrollProfile > > > > > > [16/Jan/2017:20:57:44][localhost-startStop-1]: BasicProfile: start > init > > > > > > [16/Jan/2017:20:57:44][localhost-startStop-1]: WARNING, can't get > > default > > > plugin id! > > > > > > [16/Jan/2017:20:57:44][localhost-startStop-1]: > > > java.lang.NullPointerException > > > > > > java.lang.NullPointerException > > > > > > at > > > com.netscape.cms.profile.common.BasicProfile.createProfilePolicy( > > BasicProfile.java:891) > > > > > > at com.netscape.cms.profile.common.BasicProfile.init( > > BasicProfile.java:347) > > > > > > at > > > com.netscape.cmscore.profile.ProfileSubsystem.createProfile( > > ProfileSubsystem.java:126) > > > > > > at > > > com.netscape.cmscore.profile.ProfileSubsystem.init( > > ProfileSubsystem.java:85) > > > > > > at com.netscape.cmscore.apps.CMSEngine.initSubsystem( > > CMSEngine.java:1169) > > > > > > at com.netscape.cmscore.apps.CMSEngine.initSubsystems( > > CMSEngine.java:1075) > > > > > > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:581) > > > > > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > > > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > > > > > at > > > com.netscape.cms.servlet.base.CMSStartServlet.init( > > CMSStartServlet.java:114) > > > > > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke( > > NativeMethodAccessorImpl.java:62) > > > > > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > > DelegatingMethodAccessorImpl.java:43) > > > > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > > > > at org.apache.catalina.security.SecurityUtil$1.run( > > SecurityUtil.java:293) > > > > > > at org.apache.catalina.security.SecurityUtil$1.run( > > SecurityUtil.java:290) > > > > > > at java.security.AccessController.doPrivileged(Native Method) > > > > > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > > > > at org.apache.catalina.security.SecurityUtil.execute( > > SecurityUtil.java:325) > > > > > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > > SecurityUtil.java:176) > > > > > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > > SecurityUtil.java:124) > > > > > > at > > > org.apache.catalina.core.StandardWrapper.initServlet( > > StandardWrapper.java:1215) > > > > > > at > > > org.apache.catalina.core.StandardWrapper.loadServlet( > > StandardWrapper.java:1140) > > > > > > at org.apache.catalina.core.StandardWrapper.load( > > StandardWrapper.java:1027) > > > > > > at > > > org.apache.catalina.core.StandardContext.loadOnStartup( > > StandardContext.java:5038) > > > > > > at > > > org.apache.catalina.core.StandardContext.startInternal( > > StandardContext.java:5348) > > > > > > at org.apache.catalina.util.LifecycleBase.start( > LifecycleBase.java:145) > > > > > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal( > > ContainerBase.java:753) > > > > > > at org.apache.catalina.core.ContainerBase.access$000( > > ContainerBase.java:131) > > > > > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > > ContainerBase.java:153) > > > > > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > > ContainerBase.java:143) > > > > > > at java.security.AccessController.doPrivileged(Native Method) > > > > > > at org.apache.catalina.core.ContainerBase.addChild( > > ContainerBase.java:727) > > > > > > at org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:717) > > > > > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor( > > HostConfig.java:587) > > > > > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor. > > run(HostConfig.java:1798) > > > > > > at java.util.concurrent.Executors$RunnableAdapter. > > call(Executors.java:511) > > > > > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > > > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker( > > ThreadPoolExecutor.java:1142) > > > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > > ThreadPoolExecutor.java:617) > > > > > > at java.lang.Thread.run(Thread.java:745) > > > > > > [16/Jan/2017:20:57:44][localhost-startStop-1]: Done Profile Creation - > > > caServerCertSAN4 > > > > > > > > > I made sure to add the following lines to the CS.cfg: > > > > > > profile.caServerCertSAN4.class_id=caEnrollImpl > > > > > > profile.caServerCertSAN4.config=/var/lib/pki/pki- > tomcat/ca/profiles/ca/ > > caServerCertSAN4.cfg > > > > > > I attached the profile on this email. > > > > > > Any help would be great, > > > > > > Rafael > > > > > > On Fri, Jan 13, 2017 at 11:45 AM, Rafael Leiva-Ochoa < > spawn at rloteck.net> > > > wrote: > > > > > > > Thanks John I will give this a try tonight. > > > > > > > > > > > > On Fri, Jan 13, 2017 at 11:43 AM John Magne > wrote: > > > > > > > >> OK: > > > >> > > > >> > > > >> > > > >> The reason to ask about GUI, is because this make it easier for us > to > > > >> make sure > > > >> > > > >> the request has the info needed. > > > >> > > > >> > > > >> > > > >> Take a look at this one: /var/lib/pki-ca/profiles/ca/ > > DomainController.cfg > > > >> > > > >> > > > >> > > > >> This profile has the default for 2 SANs as in this snippet. > > > >> > > > >> > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id= > > > >> subjectAltNameExtDefaultImpl > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject > Alt > > > >> Name Constraint > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltNameExtCritical=false > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8. > > > >> default.params.subjAltExtType_0=RFC822Name > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltExtPattern_0=$request.requestor_email$ > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltExtGNEnable_0=true > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8. > > > >> default.params.subjAltExtType_1=OtherName > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltExtGNEnable_1=true > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltExtSource_1=UUID4 > > > >> > > > >> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params. > > > >> subjAltNameNumGNs=2 > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> Note the NumGNs is set to 2. It also uses parameters from the GUI to > > > >> populate the values. > > > >> > > > >> > > > >> > > > >> If you have more non standard inputs you want to put in your > profile, > > I > > > >> believe there is a user defined > > > >> > > > >> input that can be used. This way you can give it any id you want and > > the > > > >> profile can be told to get that > > > >> > > > >> particular value to put in place. > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> ----- Original Message ----- > > > >> > > > >> > From: "Rafael Leiva-Ochoa" > > > >> > > > >> > To: "John Magne" > > > >> > > > >> > Cc: pki-users at redhat.com > > > >> > > > >> > Sent: Friday, January 13, 2017 10:39:54 AM > > > >> > > > >> > Subject: Re: [Pki-users] SAN on Certificate > > > >> > > > >> > > > > >> > > > >> > It's a GUI. > > > >> > > > >> > > > > >> > > > >> > Does it matter? Would it make a difference if I use OpenSSL to > > > >> generate > > > >> > > > >> > the CSR ? > > > >> > > > >> > On Fri, Jan 13, 2017 at 10:38 AM John Magne > > wrote: > > > >> > > > >> > > > > >> > > > >> > > Yes, that is the idea. > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > If the code is able to pull info out of the request with those > > id's, > > > >> as in > > > >> > > > >> > > the profile snippet, > > > >> > > > >> > > > > > >> > > > >> > > it will put them in the cert. > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > Might you let us know what kind of csr you are using? Is it > > something > > > >> > > > >> > > external, or are you using the gui? > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > ----- Original Message ----- > > > >> > > > >> > > > > > >> > > > >> > > From: "Rafael Leiva-Ochoa" > > > >> > > > >> > > > > > >> > > > >> > > To: "John Magne" > > > >> > > > >> > > > > > >> > > > >> > > Cc: pki-users at redhat.com > > > >> > > > >> > > > > > >> > > > >> > > Sent: Thursday, January 12, 2017 4:57:58 PM > > > >> > > > >> > > > > > >> > > > >> > > Subject: Re: [Pki-users] SAN on Certificate > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > On the CSR there are SAN input fields...would it get them from > > there > > > >> using > > > >> > > > >> > > > > > >> > > > >> > > the settings you stated below? > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > On Thu, Jan 12, 2017 at 4:53 PM John Magne > > wrote: > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > Hi: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > Not to sound like a broken record and say the same thing > again, > > but > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > I looked at this link you printed: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ > > > >> Certificate_System/8.1/html/Admin_Guide/Certificate_and_ > > > >> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > Note in there for the custom profile it has this setting: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4 > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > Then for each "index" it has some different settings that > > determine > > > >> how > > > >> > > > >> > > > > > >> > > > >> > > > the info is gathered for that particular SAN, like this: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > policyset.serverCertSet.9.default.params. > > subjAltExtGNEnable_0=true > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > policyset.serverCertSet.9.default.params. > > > >> subjAltExtPattern_0=$request.requester_email$ > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > and > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > policyset.serverCertSet.9.default.params. > > subjAltExtGNEnable_1=true > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > policyset.serverCertSet.9.default.params. > > > >> subjAltExtPattern_1=$request.SAN1$ > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > Off the top of my head, I"m not sure where it's getting those > > > >> "values" > > > >> > > > >> > > > > > >> > > > >> > > > from. I'd have to go try it myself. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > But to start with you might want to just configure your > profile > > in > > > >> this > > > >> > > > >> > > > > > >> > > > >> > > > kind of way, and then we can figure out > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > any problems with where the data is coming from. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > It may take a quick look at the code to see what is going on > > there. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > thanks, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > jack > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > As a first test, if you are not providing the proper data for > > say 2 > > > >> or 3 > > > >> > > > >> > > > > > >> > > > >> > > > sans, I suspect that the final output may show that you tried > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > to set 3 sans but the data is null or something, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > thanks, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > jack > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > ----- Original Message ----- > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > From: "Rafael Leiva-Ochoa" > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > To: "John Magne" > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > Cc: pki-users at redhat.com > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > Sent: Thursday, January 12, 2017 3:38:11 PM > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > Subject: Re: [Pki-users] SAN on Certificate > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > Here is the last one I got... > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > "The patterns are defined, "hard-coded", as part of the > > profile > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > configuration. Therefore the number of SANs for any given > > profile > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > is fixed (if you are using the SubjectAltNameExtDefault > > class). > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > Each pattern gets formatted using information available in > the > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > request. See the documentation linked below for a table of > > the > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > variables you can include in these patterns. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > I cannot see a way to propagate arbitrary domain names, > other > > than > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > the CN (which is available as the $ > > request.req_subject_name.cn$ > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > variable), into SAN names, via SubjectAltNameExtDefault." > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > You also responded with the links I have on this email. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > The original email subject on the list was: "SAN Feild in > the > > MSCE > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > profile". I think you told me last time you were too busy > to > > > >> help. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > Thanks, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > R > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne < > jmagne at redhat.com > > > > > > >> wrote: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > Yeah sure, it just forward it to the list. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > ----- Original Message ----- > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > From: "Rafael Leiva-Ochoa" > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > To: "John Magne" > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > Cc: pki-users at redhat.com > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > I can send you the email that I got from the list? Will > > this be > > > >> > > > >> > > good? > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > Thanks, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > R > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne < > > jmagne at redhat.com> > > > >> > > > >> > > wrote: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > Hi: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > Is there any way you can reproduce the confusing answer > > you > > > >> got, > > > >> > > > >> > > > > > >> > > > >> > > > which > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > may > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > give us a head start? > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > ----- Original Message ----- > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > From: "Rafael Leiva-Ochoa" > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > To: pki-users at redhat.com > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Subject: Re: [Pki-users] SAN on Certificate > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Any takers? > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < > > > >> > > > >> > > > > > >> > > > >> > > > spawn at rloteck.net > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > wrote: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Hi Everyone, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > I am sorry for asking this question again, but the > last > > > >> time I > > > >> > > > >> > > > > > >> > > > >> > > > asked > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > it, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > I > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > was confused with the answer. I am trying to create a > > > >> > > > >> > > "certificate > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > profile" > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > that will support 3 to 4 SAN (Subject Alternative > > Names), > > > >> since > > > >> > > > >> > > the > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > current > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > profiles do not have support for this by default. I > was > > > >> trying to > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > duplicate > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > the "Manual Server Certificate Enrollment" profile, > and > > > >> adding > > > >> > > > >> > > SAN > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > support. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > I tried using this as a guild: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ > > > >> Certificate_System/8.1/html/Admin_Guide/Certificate_and_ > > > >> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > and > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_ > > > >> Certificate_System/8.1/html/Admin_Guide/Managing_Subject_ > > > >> Names_and_Subject_Alternative_ > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Names .html > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > This is how the profile looks like: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. constraint.class_id= > > > >> noConstraintImpl > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9.constraint. name =No > > Constraint > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. default.class_id= > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > subjectAltNameExtDefaultImpl > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9.default. name = Subject > > > >> Alternative > > > >> > > > >> > > Name > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > Extension > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Default > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. default.params. > > > >> > > > >> > > > > > >> > > > >> > > > subjAltExtGNEnable_0=true > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. default.params. > > > >> subjAltExtPattern_0= > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. > > default.params.subjAltExtType_ > > > >> > > > >> > > 0=DNSName > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. default.params. > > > >> > > > >> > > > > > >> > > > >> > > > subjAltNameExtCritical=false > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > policyset.serverCertSet.9. default.params. > > > >> subjAltNameNumGNs=1 > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > The CSR looks like this: > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > *Common Name :* node1.example.com > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > * Subject Alternative Names :* test.example.com , > > > >> > > > >> > > > > > >> > > > >> > > > test1.example.com , > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > test2.example.com > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > *Organization:* Test Corp > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > *Organization Unit:* IT Department > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > *Locality:* LA > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > *State:* OR > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > *Country:* US > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > I am doing to do this instead of using wildcard certs. > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Thanks, > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Rafael > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > _______________________________________________ > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Pki-users mailing list > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > Pki-users at redhat.com > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > >> > > > >> > > > > > > From asaure at osh.com.mx Thu Jan 26 21:07:52 2017 From: asaure at osh.com.mx (Alejandro Saure Azcanio) Date: Thu, 26 Jan 2017 21:07:52 -0000 Subject: [Pki-users] I can not import a server certificate Message-ID: <000001d27803$8dbffbd0$a93ff370$@osh.com.mx> When I try to import a server certificate from firefox I receive the following message: This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested. Steps to reproduce the problem Step 1: Generate a certificate request for windows server 2003 Create the .inf file. to create the certificate request. ;----------------- request.inf ----------------- [Versi?n] Signature="$Windows NT$ [NewRequest] Subject = "CN = < fqdn de DC >"; Reemplazar por el FQDN del controlador de dominio KeySpec = 1 KeyLength = 1024 ; Puede ser 1024, 2048, 4096, 8192 y 16384. ; Tama?os de clave mayores son m?s seguros, pero tienen ; un mayor impacto en el rendimiento. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Esto es para la autenticaci?n de servidor ;----------------------------------------------- Step 2: Create the request file. To do this, type the following command at the command prompt, and then press ENTER: certreq -new request.inf request.req Step 3: Submit the request to a CA. Step 4: We approve the certificate from the administrator of dog tag Step 5: We click on the retrieve tab then on list certificate then we look for our certificate and click on the button import your certificate. Show us the following message How can I solve the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 15189 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 9159 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image008.jpg Type: image/jpeg Size: 23527 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image009.jpg Type: image/jpeg Size: 32034 bytes Desc: not available URL: