Dear pki-users. I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes: Criticality = not critical Type = RFC822Name Value = the email of the requestor. I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file: policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl policyset.cmcUserCertSet.8.constraint.name=Extension Constraint policyset.cmcUserCertSet.8.constraint.params.extCritical=false policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17 policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1 The input certificate request is generated using certutil and CMCEnroll and the command used is the following: certutil -R -g 2048 -s "<the-subject>" -7"<the-requestor-email>" -d<a-local-dir> …… The certificate is generated, but the extension is not populated with the email address and I always get: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: RFC822Name: $request.requestor_email$

Thanks Joshua for the prompt reply and answer. I used the User Supplied Extension Default and it works. Thank you very much again Best Regards Riccardo Riccardo Brunetti INFN-Torino Tel: +390116707295 riccardo.brunetti(a)to.infn.it <mailto:riccardo.brunetti@to.infn.it> On 20/mar/2012 12, at 12:29, Joshua Roys wrote: > On 03/20/2012 06:54 AM, Riccardo Brunetti wrote: >> >> Dear pki-users. >> >> I'm trying to setup a pki-ca instance to produce X509 certificates >> which include a Subject Alternative Name Extension with the >> following attributes: >> >> Criticality = not critical >> Type = RFC822Name >> Value = the email of the requestor. >> >> I'm using the Signed CMC-Authenticated User Certificate Enrollment >> profile and this is the relevant section of my >> /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file: >> >> policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl >> policyset.cmcUserCertSet.8.constraint.name=Extension Constraint >> policyset.cmcUserCertSet.8.constraint.params.extCritical=false >> policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17 >> policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl >> policyset.cmcUserCertSet.8.default.name=Subject Alternative Name >> Extension Default >> policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true >> policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ >> policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name >> policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false >> policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1 >> >> The input certificate request is generated using certutil and >> CMCEnroll and the command used is the following: >> >> certutil -R -g 2048 -s "<the-subject>" -7"<the-requestor-email>" >> -d<a-local-dir> …… >> >> The certificate is generated, but the extension is not populated >> with the email address and I always get: >> >> Identifier: Subject Alternative Name - 2.5.29.17 >> Critical: no >> Value: >> RFC822Name: $request.requestor_email$ >> > > Hello, > > In short, the email is not being looked at because > $request.requestor_email$ is created through the WebUI through an > input box (Requestor Email). See [1] for some more variables. You > may want to configure the caFullCMCUserCert to copy all subjAltNames > in the input to the output certificate using the User Supplied > Extension Default (with 2.5.29.17 as the argument): > "This default populates a User-Supplied Extension (2.5.29.17) to the > request." > > Josh > > [1] > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Adm... > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> > https://www.redhat.com/mailman/listinfo/pki-users