[Pki-users] SAN for Launch page.

Marc Sauton msauton at redhat.com
Fri Mar 30 16:48:23 UTC 2018 

opened ticket
https://pagure.io/dogtagpki/issue/2979
SAN in internal SSL server certificate in pkispawn configuration step

community comments welcome.

On Fri, Mar 30, 2018 at 8:24 AM, Rafael Leiva-Ochoa <spawn at rloteck.net>
wrote:

>  Yes, Making this a default will make it much easier.
>
> On Fri, Mar 30, 2018 at 8:14 AM Marc Sauton <msauton at redhat.com> wrote:
>
>> Yes,sorry, I forgot to mention the profile used for the internal SSL
>> server certificate at configuration needed to be copied
>> from /usr/share/pki/ca/conf/serverCert.profile.exampleWithSAN
>> Should we make this a default setting?
>> Thanks,
>> M.
>>
>> On Thu, Mar 29, 2018 at 10:05 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
>> wrote:
>>
>>> Found the solution here...Thanks again!
>>>
>>> https://www.redhat.com/archives/pki-devel/2015-April/msg00077.html
>>>
>>> On Thu, Mar 29, 2018 at 8:06 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
>>> wrote:
>>>
>>>> sending to alias also...
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Rafael Leiva-Ochoa <spawn at rloteck.net>
>>>> Date: Thu, Mar 29, 2018 at 3:35 PM
>>>> Subject: Re: [Pki-users] SAN for Launch page.
>>>> To: Marc Sauton <msauton at redhat.com>
>>>>
>>>>
>>>> It did not work. I am still getting SAN errors when using the Launch
>>>> page. I viewed the Cert that was issued to the launch page, and it is still
>>>> missing the SAN. Here is my ca.cfg:
>>>>
>>>> [CA]
>>>>
>>>> pki_admin_email=caadmin at test.com
>>>>
>>>> pki_admin_name=caadmin
>>>>
>>>> pki_admin_nickname=caadmin
>>>>
>>>> pki_admin_password=xxxxxxxx
>>>>
>>>> pki_admin_uid=caadmin
>>>>
>>>>
>>>> pki_san_inject=True
>>>>
>>>> pki_san_for_server_cert=dogtag-ca-root.test.com
>>>>
>>>>
>>>> pki_client_database_password=xxxxxxxx
>>>>
>>>> pki_client_database_purge=False
>>>>
>>>> pki_client_pkcs12_password=xxxxxxxxxx
>>>>
>>>>
>>>> pki_ds_base_dn=dc=test,dc=com
>>>>
>>>> pki_ds_database=pki-tomcat
>>>>
>>>> pki_ds_password=xxxxxxx
>>>>
>>>>
>>>> pki_ca_signing_subject_dn=cn=TEST Root CA,ou=TEST Certification
>>>> Authority,c=US
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Rafael
>>>>
>>>> On Thu, Mar 29, 2018 at 2:50 PM, Rafael Leiva-Ochoa <spawn at rloteck.net>
>>>> wrote:
>>>>
>>>>> Thanks, I will give that a try.
>>>>>
>>>>> On Thu, Mar 29, 2018 at 12:57 PM, Marc Sauton <msauton at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Try to add to the pkispawn config file, for example:
>>>>>> pki_san_inject=True
>>>>>> pki_san_for_server_cert=ca01.example.com,ca02.example.com,c
>>>>>> a.example.com
>>>>>>
>>>>>> Note for the "non-internal" certificates, there is a way to modify
>>>>>> enrollment profiles to add a SAN, but a recent updated feature is described
>>>>>> in the page at
>>>>>> http://www.dogtagpki.org/wiki/PKI_10.4_Copy_CN_To_SAN
>>>>>>
>>>>>> Thanks,
>>>>>> M.
>>>>>>
>>>>>> On Thu, Mar 29, 2018 at 11:42 AM, Rafael Leiva-Ochoa <
>>>>>> spawn at rloteck.net> wrote:
>>>>>>
>>>>>>> Hi Everyone,
>>>>>>>
>>>>>>>     I am trying to build a new CA, and I am using the ca.cfg file to
>>>>>>> create the CA, but when I create the CA, the SAN is missing from the
>>>>>>> website cert (:8443). I am trying to look for the right value to put on the
>>>>>>> ca.cfg file for the SAN, so the the launch page does not give me SAN
>>>>>>> errors. Here is what I found, but nothing relating to the SAN:
>>>>>>>
>>>>>>> [CA]
>>>>>>> pki_admin_email=caadmin at example.com
>>>>>>> pki_admin_name=caadmin
>>>>>>> pki_admin_nickname=caadmin
>>>>>>> pki_admin_password=Secret.123
>>>>>>> pki_admin_uid=caadmin
>>>>>>>
>>>>>>> pki_client_database_password=Secret.123
>>>>>>> pki_client_database_purge=False
>>>>>>> pki_client_pkcs12_password=Secret.123
>>>>>>>
>>>>>>> pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
>>>>>>> pki_ds_database=ca
>>>>>>> pki_ds_password=Secret.123
>>>>>>>
>>>>>>> pki_security_domain_name=EXAMPLE
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>> Rafael
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Pki-users mailing list
>>>>>>> Pki-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20180330/2b2dd5d4/attachment.htm>

More information about the Pki-users mailing list