hi all,
im struggling in adding the subject alternative name (san) into the
generated certificate. im doing scep request. when i print the cert req
into a file and dump it, it seems that san is correctly added:
$ openssl req -in certreq.csr -text -noout
Certificate Request:
...
Requested Extensions:
X509v3 Subject Alternative Name:
email:example@example.org
Signature Algorithm: sha1WithRSAEncryption
1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8:
....
the profile that is then used on ca contains:
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alt Name Constraint
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
and in the log file:
[16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension
[16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: 2.5.29.17
Criticality=false
SubjectAlternativeName [
[RFC822Name: example(a)example.org]]
]
[16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject
.....
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate
start
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault:
createExtension i=0
[16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added
[16/Jan/2014:13:49:42][http-9180-1]: count is 0
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate
sees no extension. get out
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate end
and the san is not included in the certificate.
i also tried other values for subjAltExtPattern_0 like $request.email$,
$request.SAN1$, etc but this only ended with state where san was
included into the certificate but has value as the parameter, i.e.
'$request.email$' which is apparently not what i wanted.
would anyone know what im doing wrong, where is the catch?
thank a lot
jd