[Pki-users] Subject Alt names concate

Fraser Tweedale ftweedal at redhat.com
Fri May 5 23:43:09 UTC 2017 

On Fri, May 05, 2017 at 02:24:26PM +0200, Supper Florian 6342 sIT wrote:
> Hi,
> 
> related to RFC6125 ( Best practice checking server identities) i have to create a cert profile which adds the Common name from the subject into a SAN.
> 
> So far so good, this works now with this config.
> 
> policyset.cmcServerCert.10.constraint.class_id=noConstraintImpl
> policyset. cmcServerCert.10.constraint.name=No Constraint
> policyset. cmcServerCert.10.default.class_id=subjectAltNameExtDefaultImpl
> policyset. cmcServerCert.10.default.name=Subject Alt Name Constraint
> policyset. cmcServerCert.10.default.params.subjAltNameExtCritical=false
> policyset. cmcServerCert.10.default.params.subjAltExtGNEnable=true
> policyset. cmcServerCert.10.default.params.subjAltExtGNEnable_0=true
> policyset. cmcServerCert.10.default.params.subjAltExtType_0=DNSName
> policyset. cmcServerCert.10.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$
> policyset. cmcServerCert.10.default.params.subjAltNameNumGNs=1
> 
> 
> Now I have to add additional SANS if the user sends them in the request.
> 
> CSR part:
> Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 DNS:mywebservice.example.com, DNS:mywebservicealias.example.com
> 
> 
> With this config, it is possible to take the SANS out of the csr and bring that in the cert..
> 
> policyset. cmcServerCert.9.constraint.class_id=noConstraintImpl
> policyset. cmcServerCert.9.constraint.name=No Constraint
> policyset. cmcServerCert.9.constraint.subjAltNameExtCritical=false
> policyset. cmcServerCert.9.default.class_id=userExtensionDefaultImpl
> policyset. cmcServerCert.9.default.name=User Supplied Extension Default
> policyset. cmcServerCert.9.default.params.userExtOID=2.5.29.17
> 
> 
> The problem what I had is that I had to take the SANS out of the request and then ADD the cn out of the subjet as SAN too.
> 
> I'm not able to get this working.
> 
> Please help.
> 
> Thanks in advanced.
> 
> Br
> florian

Hi Florian,

In the 10.4 release, we added a new profile component specifically
for adding the CN (if it looks like a DNS name) to the SAN extension
(creating it if necessary).  It is called CommonNameToSANDefault.

See https://bugzilla.redhat.com/show_bug.cgi?id=1429492 for more
details.

Thanks,
Fraser

More information about the Pki-users mailing list