This patch allows SAN to be specified for the server cert during installation. It ports some of the code from now obsolete 8.1 errata that dealt with IP port separation, and added needed pkispawn config parameters and example enrollment profile with SAN patterns note: the installation part of san injection code ported was originally authored by mharmsen, while the backend SAN input code (authored by myself) was already ported earlier for other purpose. Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Some minor things I found. 1. + @XmlElement + protected String san_server_cert; + In SystemCertData.java: Name might be a bit confusing,making one think this is a cert and not san data. How about something like "san_for_server_cert" ? 2. In methods: public static void injectSANextensionIntoRequest(IConfigStore config, + IRequest req) throws Exception { and public static String buildSANSSLserverURLExtension(IConfigStore config) + throws Exception { In file CertUtil.java -Can we sanity check the input params to avoid mystery null pointers? -I think we previously realized that StringTokenizer has been deprecated in favor of String.split. -Could we look at the erorr checking and decide what to do when there is for instance no san data availabile. In these cases the output will be kind of odd. 3. Still looking at the python, just wanted to get started with this minor stuff. ----- Original Message ----- > From: "Christina Fu" <cfu(a)redhat.com&gt; > To: pki-devel(a)redhat.com > Sent: Monday, April 20, 2015 5:00:47 PM > Subject: Re: [Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch > > now with the attachment. > > On 04/20/2015 02:24 PM, Christina Fu wrote: >> This patch allows SAN to be specified for the server cert during >> installation. >> It ports some of the code from now obsolete 8.1 errata that dealt with >> IP port separation, and added needed pkispawn config parameters and >> example enrollment profile with SAN patterns >> >> note: the installation part of san injection code ported was >> originally authored by mharmsen, while the backend SAN input code >> (authored by myself) was already ported earlier for other purpose. >> >> Usage: >> * under /usr/share/pki/ca/conf, you will find a new file called >> serverCert.profile.exampleWithSANpattern >> * copy existing serverCert.profile away and replace with >> serverCert.profile.exampleWithSANpattern >> * edit serverCert.profile.exampleWithSANpattern >> - follow the instruction right above 8.default. >> - save and quit >> * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg >> - follow the instruction right above policyset.serverCertSet.9 >> - save and quit >> * save away and edit the ca config file for pkispawn: (note: you can >> add multiple SAN's delimited by ',' for pki_san_server_cert >> - add the following lines, e.g. >> pki_san_inject=True >> pki_san_server_cert=host1.Example.com >> - do the same pkispawn cfg changes for kra or any other instances >> that you plan on creating >> * create your instance(s) >> check the sl sever cert, it should contain something like the >> following: >> >> Identifier: Subject Alternative Name - 2.5.29.17 >> Critical: no >> Value: >> DNSName: host1.Example.com >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel

Looks good : ACK Btw, loaded up the python in pycharm and could not see any obvious warnings in the new bits of code. ----- Original Message ----- From: "Christina Fu" <cfu(a)redhat.com&gt; To: pki-devel(a)redhat.com Sent: Tuesday, April 21, 2015 5:40:33 PM Subject: Re: [Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch please find revised patch per comments. thanks, Christina On 04/21/2015 11:40 AM, John Magne wrote: > Some minor things I found. > > 1. + @XmlElement > + protected String san_server_cert; > + > > In SystemCertData.java: Name might be a bit confusing,making one think this is a cert and not san data. > How about something like "san_for_server_cert" ? > > 2. In methods: public static void injectSANextensionIntoRequest(IConfigStore config, > + IRequest req) throws Exception { > > and > > public static String buildSANSSLserverURLExtension(IConfigStore config) > + throws Exception { > > > In file CertUtil.java > > -Can we sanity check the input params to avoid mystery null pointers? > -I think we previously realized that StringTokenizer has been deprecated in favor of String.split. > -Could we look at the erorr checking and decide what to do when there is for instance no san data availabile. > In these cases the output will be kind of odd. > > 3. Still looking at the python, just wanted to get started with this minor stuff. > > > > > > ----- Original Message ----- >> From: "Christina Fu" <cfu(a)redhat.com&gt; >> To: pki-devel(a)redhat.com >> Sent: Monday, April 20, 2015 5:00:47 PM >> Subject: Re: [Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch >> >> now with the attachment. >> >> On 04/20/2015 02:24 PM, Christina Fu wrote: >>> This patch allows SAN to be specified for the server cert during >>> installation. >>> It ports some of the code from now obsolete 8.1 errata that dealt with >>> IP port separation, and added needed pkispawn config parameters and >>> example enrollment profile with SAN patterns >>> >>> note: the installation part of san injection code ported was >>> originally authored by mharmsen, while the backend SAN input code >>> (authored by myself) was already ported earlier for other purpose. >>> >>> Usage: >>> * under /usr/share/pki/ca/conf, you will find a new file called >>> serverCert.profile.exampleWithSANpattern >>> * copy existing serverCert.profile away and replace with >>> serverCert.profile.exampleWithSANpattern >>> * edit serverCert.profile.exampleWithSANpattern >>> - follow the instruction right above 8.default. >>> - save and quit >>> * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg >>> - follow the instruction right above policyset.serverCertSet.9 >>> - save and quit >>> * save away and edit the ca config file for pkispawn: (note: you can >>> add multiple SAN's delimited by ',' for pki_san_server_cert >>> - add the following lines, e.g. >>> pki_san_inject=True >>> pki_san_server_cert=host1.Example.com >>> - do the same pkispawn cfg changes for kra or any other instances >>> that you plan on creating >>> * create your instance(s) >>> check the sl sever cert, it should contain something like the >>> following: >>> >>> Identifier: Subject Alternative Name - 2.5.29.17 >>> Critical: no >>> Value: >>> DNSName: host1.Example.com >>> >>> >>> _______________________________________________ >>> Pki-devel mailing list >>> Pki-devel(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-devel >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel