[Pki-users] Subject Alt names concate
Fraser Tweedale
ftweedal at redhat.com
Fri May 5 23:43:09 UTC 2017
On Fri, May 05, 2017 at 02:24:26PM +0200, Supper Florian 6342 sIT wrote:
> Hi,
>
> related to RFC6125 ( Best practice checking server identities) i have to create a cert profile which adds the Common name from the subject into a SAN.
>
> So far so good, this works now with this config.
>
> policyset.cmcServerCert.10.constraint.class_id=noConstraintImpl
> policyset. cmcServerCert.10.constraint.name=No Constraint
> policyset. cmcServerCert.10.default.class_id=subjectAltNameExtDefaultImpl
> policyset. cmcServerCert.10.default.name=Subject Alt Name Constraint
> policyset. cmcServerCert.10.default.params.subjAltNameExtCritical=false
> policyset. cmcServerCert.10.default.params.subjAltExtGNEnable=true
> policyset. cmcServerCert.10.default.params.subjAltExtGNEnable_0=true
> policyset. cmcServerCert.10.default.params.subjAltExtType_0=DNSName
> policyset. cmcServerCert.10.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$
> policyset. cmcServerCert.10.default.params.subjAltNameNumGNs=1
>
>
> Now I have to add additional SANS if the user sends them in the request.
>
> CSR part:
> Requested Extensions:
> X509v3 Subject Alternative Name:
> DNS:mywebservice.example.com, DNS:mywebservicealias.example.com
>
>
> With this config, it is possible to take the SANS out of the csr and bring that in the cert..
>
> policyset. cmcServerCert.9.constraint.class_id=noConstraintImpl
> policyset. cmcServerCert.9.constraint.name=No Constraint
> policyset. cmcServerCert.9.constraint.subjAltNameExtCritical=false
> policyset. cmcServerCert.9.default.class_id=userExtensionDefaultImpl
> policyset. cmcServerCert.9.default.name=User Supplied Extension Default
> policyset. cmcServerCert.9.default.params.userExtOID=2.5.29.17
>
>
> The problem what I had is that I had to take the SANS out of the request and then ADD the cn out of the subjet as SAN too.
>
> I'm not able to get this working.
>
> Please help.
>
> Thanks in advanced.
>
> Br
> florian
Hi Florian,
In the 10.4 release, we added a new profile component specifically
for adding the CN (if it looks like a DNS name) to the SAN extension
(creating it if necessary). It is called CommonNameToSANDefault.
See https://bugzilla.redhat.com/show_bug.cgi?id=1429492 for more
details.
Thanks,
Fraser
More information about the Pki-users
mailing list