Dear pki-users.
I'm trying to setup a pki-ca instance to produce X509 certificates which include a
Subject Alternative Name Extension with the following attributes:
Criticality = not critical
Type = RFC822Name
Value = the email of the requestor.
I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is
the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:
policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=Extension Constraint
policyset.cmcUserCertSet.8.constraint.params.extCritical=false
policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default
policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1
The input certificate request is generated using certutil and CMCEnroll and the command
used is the following:
certutil -R -g 2048 -s "<the-subject>" -7
"<the-requestor-email>" -d <a-local-dir> ……
The certificate is generated, but the extension is not populated with the email address
and I always get:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
RFC822Name: $request.requestor_email$
These are the installed packages:
pki-java-tools-9.0.18-1.fc15.noarch
pki-selinux-9.0.18-1.fc15.noarch
pki-setup-9.0.18-1.fc15.noarch
pki-ca-9.0.18-1.fc15.noarch
dogtag-pki-common-theme-9.0.10-1.fc15.noarch
pki-symkey-9.0.18-1.fc15.x86_64
pki-native-tools-9.0.18-1.fc15.x86_64
dogtag-pki-ca-theme-9.0.10-1.fc15.noarch
pki-console-9.0.5-1.fc15.noarch
pki-util-9.0.18-1.fc15.noarch
dogtag-pki-console-theme-9.0.10-1.fc15.noarch
pki-common-9.0.18-1.fc15.noarch
Does anybody have some suggestion on how to solve this issue? Any input would be very
appreciated.
Best Regards
Riccardo
Riccardo Brunetti
INFN-Torino
Tel: +390116707295
riccardo.brunetti(a)to.infn.it