Re: [Pki-users] Adding subject alternative name into certificate
In general, the two easiest ways to add SAN into the cert. The following
documentation should help.
1. The subjectAlternativeName profile configuration : (use this if your
CSR does not contain SAN, but you have relevant info in the accompanying
request or ldap)
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
2. The User Supplied Extension Default : (use this if you generate your
own SAN in the CSR)
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
Christina
On 01/16/2014 06:06 AM, Jindrich Dolezal wrote:
hi all,
im struggling in adding the subject alternative name (san) into the
generated certificate. im doing scep request. when i print the cert
req into a file and dump it, it seems that san is correctly added:
$ openssl req -in certreq.csr -text -noout
Certificate Request:
...
Requested Extensions:
X509v3 Subject Alternative Name:
email:example@example.org
Signature Algorithm: sha1WithRSAEncryption
1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8:
....
the profile that is then used on ca contains:
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alt Name Constraint
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
and in the log file:
[16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension
[16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId:
2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: example(a)example.org]]
]
[16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject
.....
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault:
populate start
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault:
createExtension i=0
[16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added
[16/Jan/2014:13:49:42][http-9180-1]: count is 0
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault:
populate sees no extension. get out
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault:
populate end
and the san is not included in the certificate.
i also tried other values for subjAltExtPattern_0 like
$request.email$, $request.SAN1$, etc but this only ended with state
where san was included into the certificate but has value as the
parameter, i.e. '$request.email$' which is apparently not what i wanted.
would anyone know what im doing wrong, where is the catch?
thank a lot
jd
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users