[Pki-users] SAN on Certificate
Rafael Leiva-Ochoa
spawn at rloteck.net
Thu Jan 12 23:38:11 UTC 2017
Here is the last one I got...
"The patterns are defined, "hard-coded", as part of the profile
configuration. Therefore the number of SANs for any given profile
is fixed (if you are using the SubjectAltNameExtDefault class).
Each pattern gets formatted using information available in the
request. See the documentation linked below for a table of the
variables you can include in these patterns.
I cannot see a way to propagate arbitrary domain names, other than
the CN (which is available as the $request.req_subject_name.cn$
variable), into SAN names, via SubjectAltNameExtDefault."
You also responded with the links I have on this email.
The original email subject on the list was: "SAN Feild in the MSCE
profile". I think you told me last time you were too busy to help.
Thanks,
R
On Thu, Jan 12, 2017 at 3:25 PM John Magne <jmagne at redhat.com> wrote:
> Yeah sure, it just forward it to the list.
>
>
>
> ----- Original Message -----
>
> From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
>
> To: "John Magne" <jmagne at redhat.com>
>
> Cc: pki-users at redhat.com
>
> Sent: Thursday, January 12, 2017 3:08:50 PM
>
> Subject: Re: [Pki-users] SAN on Certificate
>
>
>
> I can send you the email that I got from the list? Will this be good?
>
>
>
> Thanks,
>
>
>
> R
>
> On Thu, Jan 12, 2017 at 3:05 PM John Magne <jmagne at redhat.com> wrote:
>
>
>
> > Hi:
>
> >
>
> >
>
> >
>
> > Is there any way you can reproduce the confusing answer you got, which
> may
>
> > give us a head start?
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > ----- Original Message -----
>
> >
>
> > > From: "Rafael Leiva-Ochoa" <spawn at rloteck.net>
>
> >
>
> > > To: pki-users at redhat.com
>
> >
>
> > > Sent: Thursday, January 12, 2017 2:36:36 PM
>
> >
>
> > > Subject: Re: [Pki-users] SAN on Certificate
>
> >
>
> > >
>
> >
>
> > > Any takers?
>
> >
>
> > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < spawn at rloteck.net
> >
>
> >
>
> > > wrote:
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > Hi Everyone,
>
> >
>
> > >
>
> >
>
> > > I am sorry for asking this question again, but the last time I asked
> it,
>
> > I
>
> >
>
> > > was confused with the answer. I am trying to create a "certificate
>
> > profile"
>
> >
>
> > > that will support 3 to 4 SAN (Subject Alternative Names), since the
>
> > current
>
> >
>
> > > profiles do not have support for this by default. I was trying to
>
> > duplicate
>
> >
>
> > > the "Manual Server Certificate Enrollment" profile, and adding SAN
>
> > support.
>
> >
>
> > > I tried using this as a guild:
>
> >
>
> > >
>
> >
>
> > >
>
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
>
> >
>
> > >
>
> >
>
> > > and
>
> >
>
> > >
>
> >
>
> > >
>
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_
>
> >
>
> > > Names .html
>
> >
>
> > >
>
> >
>
> > > This is how the profile looks like:
>
> >
>
> > >
>
> >
>
> > > policyset.serverCertSet.9. constraint.class_id= noConstraintImpl
>
> >
>
> > > policyset.serverCertSet.9.constraint. name =No Constraint
>
> >
>
> > > policyset.serverCertSet.9. default.class_id=
> subjectAltNameExtDefaultImpl
>
> >
>
> > > policyset.serverCertSet.9.default. name = Subject Alternative Name
>
> > Extension
>
> >
>
> > > Default
>
> >
>
> > > policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true
>
> >
>
> > > policyset.serverCertSet.9. default.params. subjAltExtPattern_0=
>
> >
>
> > > policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName
>
> >
>
> > > policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false
>
> >
>
> > > policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1
>
> >
>
> > >
>
> >
>
> > > The CSR looks like this:
>
> >
>
> > >
>
> >
>
> > > *Common Name :* node1.example.com
>
> >
>
> > > * Subject Alternative Names :* test.example.com , test1.example.com ,
>
> >
>
> > > test2.example.com
>
> >
>
> > > *Organization:* Test Corp
>
> >
>
> > > *Organization Unit:* IT Department
>
> >
>
> > > *Locality:* LA
>
> >
>
> > > *State:* OR
>
> >
>
> > > *Country:* US
>
> >
>
> > >
>
> >
>
> > > I am doing to do this instead of using wildcard certs.
>
> >
>
> > >
>
> >
>
> > > Thanks,
>
> >
>
> > >
>
> >
>
> > > Rafael
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > _______________________________________________
>
> >
>
> > > Pki-users mailing list
>
> >
>
> > > Pki-users at redhat.com
>
> >
>
> > > https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170112/ed90be66/attachment.htm>
More information about the Pki-users
mailing list