[Pki-users] SubjectAltNameExt limited to 4 SANS?
George Wash
georgewash87 at gmail.com
Tue Mar 14 21:31:39 UTC 2017
Using CS 9.1
I'm sending SAN nametypes and values in my HTTP requests to the CA inspired
by Section A.1.14 below
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/CertProfileReference.html
In general this is working, but I seem to be limited to 4 SANs maximum. The
CA seems to only process $request_req_san_pattern_<0-3>$
Here's my setup and some logs
#### SAN Profile Configuration - 10 SANs ####
...
policyset.MySet.SAN.constraint.class_id=noConstraintImpl
policyset.MySet.SAN.constraint.name=No Constraint
policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl
policyset.MySet.SAN.default.name=Subject Alt Name Extension Default
policyset.MySet.SAN.default.params.subjAltNameExtCritical=false
policyset.MySet.SAN.default.params.subjAltNameNumGNs=10
policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true
policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true
policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true
policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true
policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true
policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$
policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true
policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$
policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true
policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$
policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true
policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$
policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true
policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$
policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$
policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true
policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$
policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$
#### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from
client #####
...
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_type_0' value='DNSName'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_pattern_0' value='myserver0.example.com'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_type_1' value='DNSName'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_pattern_1' value='myserver1.example.com'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_type_2' value='DNSName'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_pattern_2' value='myserver2.example.com'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_type_3' value='DNSName'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_pattern_3' value='myserver3.example.com'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_type_4' value='DNSName'
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
name='req_san_pattern_4' value='myserver4.example.com'
### CAProcessor Has Dropped SAN4 ####
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters:
....
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0:
DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3:
DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1:
DNSName
...
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2:
DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: -
req_san_pattern_3: myserver3.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: -
req_san_pattern_1: myserver1.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: -
req_san_pattern_2: myserver2.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: -
req_san_pattern_0: myserver0.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
CAProcessor.java:286:printParameterValues() CAProcessor: -
cert_request_type: pkcs10
...
### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated
previously in processing ####
...
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=0
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_0$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:492:createExtension()
SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com
with type=DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:496:createExtension() adding gname:
myserver0.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:498:createExtension()
SubjectAlternativeNameExtension: n not null
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=1
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_1$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:492:createExtension()
SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com
with type=DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:496:createExtension() adding gname:
myserver1.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:498:createExtension()
SubjectAlternativeNameExtension: n not null
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=2
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_2$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:492:createExtension()
SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com
with type=DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:496:createExtension() adding gname:
myserver2.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:498:createExtension()
SubjectAlternativeNameExtension: n not null
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=3
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_3$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:492:createExtension()
SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com
with type=DNSName
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:496:createExtension() adding gname:
myserver3.example.com
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:498:createExtension()
SubjectAlternativeNameExtension: n not null
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=4
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_4$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:489:createExtension()
SubjectAltNameExtDefault: gname is empty,not added.
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=5
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_5$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:489:createExtension()
SubjectAltNameExtDefault: gname is empty,not added.
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=6
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_6$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:489:createExtension()
SubjectAltNameExtDefault: gname is empty,not added.
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=7
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_7$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:489:createExtension()
SubjectAltNameExtDefault: gname is empty,not added.
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=8
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_8$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:489:createExtension()
SubjectAltNameExtDefault: gname is empty,not added.
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:443:createExtension()
SubjectAltNameExtDefault: createExtension i=9
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:451:createExtension()
SubjectAltNameExtDefault: createExtension()
pattern=$request.req_san_pattern_9$
[14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
SubjectAltNameExtDefault.java:489:createExtension()
SubjectAltNameExtDefault: gname is empty,not added.
What's interesting is the SubjectAltNameExtDefault can take several extra
hardcoded nametypes and values from the profile and populate them in the
enrolled certificate.
Any thoughts?
Thanks
GW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170314/50842612/attachment.htm>
More information about the Pki-users
mailing list