Re: [Pki-users] Adding subject alternative name into certificate

In general, the two easiest ways to add SAN into the cert. The following documentation should help. 1. The subjectAlternativeName profile configuration : (use this if your CSR does not contain SAN, but you have relevant info in the accompanying request or ldap) https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... 2. The User Supplied Extension Default : (use this if you generate your own SAN in the CSR) https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... Christina On 01/16/2014 06:06 AM, Jindrich Dolezal wrote: > hi all, > im struggling in adding the subject alternative name (san) into the > generated certificate. im doing scep request. when i print the cert > req into a file and dump it, it seems that san is correctly added: > $ openssl req -in certreq.csr -text -noout > Certificate Request: > ... > Requested Extensions: > X509v3 Subject Alternative Name: > email:example@example.org > Signature Algorithm: sha1WithRSAEncryption > 1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8: > .... > > the profile that is then used on ca contains: > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > policyset.serverCertSet.9.constraint.name=No Constraint > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > policyset.serverCertSet.9.default.name=Subject Alt Name Constraint > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false > policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > and in the log file: > [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension > [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: > 2.5.29.17 Criticality=false > SubjectAlternativeName [ > [RFC822Name: example(a)example.org]] > ] > [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject > > ..... > > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > populate start > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > createExtension i=0 > [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added > [16/Jan/2014:13:49:42][http-9180-1]: count is 0 > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > populate sees no extension. get out > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > populate end > > and the san is not included in the certificate. > > i also tried other values for subjAltExtPattern_0 like > $request.email$, $request.SAN1$, etc but this only ended with state > where san was included into the certificate but has value as the > parameter, i.e. '$request.email$' which is apparently not what i wanted. > > would anyone know what im doing wrong, where is the catch? > > thank a lot > > jd > > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users