Re: [Pki-users] SubjectAltNameExt limited to 4 SANS?

Using CS 9.1 I'm sending SAN nametypes and values in my HTTP requests to the CA inspired by Section A.1.14 below https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... In general this is working, but I seem to be limited to 4 SANs maximum. The CA seems to only process $request_req_san_pattern_<0-3>$ Here's my setup and some logs #### SAN Profile Configuration - 10 SANs #### ... policyset.MySet.SAN.constraint.class_id=noConstraintImpl policyset.MySet.SAN.constraint.name=No Constraint policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl policyset.MySet.SAN.default.name=Subject Alt Name Extension Default policyset.MySet.SAN.default.params.subjAltNameExtCritical=false policyset.MySet.SAN.default.params.subjAltNameNumGNs=10 policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$ policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$ policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$ policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$ policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$ policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$ #### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from client ##### ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_0' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_0' value='myserver0.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_1' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_1' value='myserver1.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_2' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_2' value='myserver2.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_3' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_3' value='myserver3.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_4' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_4' value='myserver4.example.com' ### CAProcessor Has Dropped SAN4 #### [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters: .... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1: DNSName ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_3: myserver3.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_1: myserver1.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_2: myserver2.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_0: myserver0.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - cert_request_type: pkcs10 ... ### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated previously in processing #### ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=0 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_0$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver0.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=1 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_1$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver1.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=2 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_2$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver2.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=3 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_3$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver3.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=4 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_4$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=5 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_5$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=6 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_6$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=7 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_7$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=8 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_8$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=9 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_9$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. What's interesting is the SubjectAltNameExtDefault can take several extra hardcoded nametypes and values from the profile and populate them in the enrolled certificate. Any thoughts? Thanks GW