12:17 p.m.
Hi all,
I have Dogtag 10.3.3 installed from COPR @pki effort onto a CentOS 7.2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[...]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = demo.myhome.com
DNS.2 = demo
DNS.3 = demo.prod.myhome.com
[...]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
3:22 a.m.
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von Ian
Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users(a)redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
12:57 p.m.
Thanks Supper. Is there a clear documentation on how to create a new
certificate profile that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output
caServerSANCert.cfg --raw caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw
caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there
are no inputs for me to fill in like the default caServerCert profile.
Just some text about Cert profile and description, then Inputs in bold and
a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com]
Im Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users(a)redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS
7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
2:40 p.m.
I've tried a variety ways to get this to go into the system and either I'm
missing something obvious or there's something buggy going on. I figured
out the test system that wasn't giving me inputs to fill in on the request
was an older version 10.2.5. I've updated that system to 10.3.3.
* pki ca-profile-show --output caServerCert.cfg --raw caServerCert
* pki ca-profile-disable caServerCert
Edit the file and add in the following lines to the bottom of the profile:
[...---...]
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false
policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.10.default.name=User Supplied Extension Default
policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17
[...---...]
NOTE: I changed the policyset to match what the rest of the profile said
in the default caServerCert profile from 10.3.3 install. From
ServerProfile to serverCertSet.
* pki ca-profile-add caServerCert.cfg --raw
Then go to the WebUI and submit a request that has SAN entries in it.
After I approve it, there are no SANs in the cert.
What am I missing?
Thanks
ian
On Tue, 15 Nov 2016 at 12:57 Ian Koenig <iguy(a)ionsphere.org> wrote:
Thanks Supper. Is there a clear documentation on how to create a
new
certificate profile that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output
caServerSANCert.cfg --raw caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw
caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there
are no inputs for me to fill in like the default caServerCert profile.
Just some text about Cert profile and description, then Inputs in bold and
a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com]
Im Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users(a)redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS
7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
8:08 a.m.
Hi Ian,
There is an redhat documentation available for dogtag version 8 and 9. They might help
you.
In my case, I mostly copy an existing profile and made the changes I’ve need in the copied
one.
BR
Florian
Von: Ian Koenig [mailto:iguy@ionsphere.org]
Gesendet: Dienstag, 15. November 2016 19:57
An: Supper Florian 6342 sIT; Ian Koenig; pki-users(a)redhat.com
Betreff: Re: [Pki-users] SubjectAltName - how?
Thanks Supper. Is there a clear documentation on how to create a new certificate profile
that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw
caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there are no inputs for
me to fill in like the default caServerCert profile. Just some text about Cert profile
and description, then Inputs in bold and a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT
<Florian.Supper@s-itsolutions.at<mailto:Florian.Supper@s-itsolutions.at>>
wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name<http://policyset.ServerProfile.10.constraint.name>=No
Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name<http://policyset.ServerProfile.10.default.name>=User
Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] Im
Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
11:28 p.m.
How do you modify your profile? I've followed the redhat documentation
and stuff doesn't work. As such I feel like I'm missing something based on
how you are talking.
How do you submit new requests? Through the Web UI or command line with
the pki command?
If via the WebUI does the agents page change when you change the profile
configurations?
Thanks
On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi Ian,
There is an redhat documentation available for dogtag version 8 and 9.
They might help you.
In my case, I mostly copy an existing profile and made the changes I’ve
need in the copied one.
BR
Florian
*Von:* Ian Koenig [mailto:iguy@ionsphere.org]
*Gesendet:* Dienstag, 15. November 2016 19:57
*An:* Supper Florian 6342 sIT; Ian Koenig; pki-users(a)redhat.com
*Betreff:* Re: [Pki-users] SubjectAltName - how?
Thanks Supper. Is there a clear documentation on how to create a new
certificate profile that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output
caServerSANCert.cfg --raw caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw
caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there
are no inputs for me to fill in like the default caServerCert profile.
Just some text about Cert profile and description, then Inputs in bold and
a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com]
Im Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users(a)redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS
7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
11:35 p.m.
Hi,
i used the profile in /var/lib/pki-myca/ca/profiles/
I’ve used the profile through webUI, CMC and SCEP.
where are your profile files located?
can you send me an example?
BR
Florian
Von: Ian Koenig [mailto:iguy@ionsphere.org]
Gesendet: Freitag, 18. November 2016 06:28
An: Supper Florian 6342 sIT; Ian Koenig; pki-users(a)redhat.com
Betreff: Re: [Pki-users] SubjectAltName - how?
How do you modify your profile? I've followed the redhat documentation and stuff
doesn't work. As such I feel like I'm missing something based on how you are
talking.
How do you submit new requests? Through the Web UI or command line with the pki
command?
If via the WebUI does the agents page change when you change the profile configurations?
Thanks
On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT
<Florian.Supper@s-itsolutions.at<mailto:Florian.Supper@s-itsolutions.at>>
wrote:
Hi Ian,
There is an redhat documentation available for dogtag version 8 and 9. They might help
you.
In my case, I mostly copy an existing profile and made the changes I’ve need in the copied
one.
BR
Florian
Von: Ian Koenig [mailto:iguy@ionsphere.org<mailto:iguy@ionsphere.org>]
Gesendet: Dienstag, 15. November 2016 19:57
An: Supper Florian 6342 sIT; Ian Koenig;
pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: Re: [Pki-users] SubjectAltName - how?
Thanks Supper. Is there a clear documentation on how to create a new certificate profile
that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw
caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there are no inputs for
me to fill in like the default caServerCert profile. Just some text about Cert profile
and description, then Inputs in bold and a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT
<Florian.Supper@s-itsolutions.at<mailto:Florian.Supper@s-itsolutions.at>>
wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name<http://policyset.ServerProfile.10.constraint.name>=No
Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name<http://policyset.ServerProfile.10.default.name>=User
Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] Im
Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
4:20 a.m.
Hi Ian,
i’ve lost your last mail..
but I could remember what the question was..
You’ve copied the part I’ve send to you in your profile and tried to enroll a cert..
But if you sign the cert the sans are not included..
Please have a look at this line in your profile..
policyset.serverCertSet.list=1,2,3,4,5,6,7,8
In this line the Number of the SAN extension part, which I’ve send to you has to be
included.. So add a “10” at the end of the line below. Restart your ca service and try
again..
If this does not work too, please send me your whole profile, and I will test it in my
testing environment..
Br
Florian
Von: Ian Koenig [mailto:iguy@ionsphere.org]
Gesendet: Freitag, 18. November 2016 06:28
An: Supper Florian 6342 sIT; Ian Koenig; pki-users(a)redhat.com
Betreff: Re: [Pki-users] SubjectAltName - how?
How do you modify your profile? I've followed the redhat documentation and stuff
doesn't work. As such I feel like I'm missing something based on how you are
talking.
How do you submit new requests? Through the Web UI or command line with the pki
command?
If via the WebUI does the agents page change when you change the profile configurations?
Thanks
On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT
<Florian.Supper@s-itsolutions.at<mailto:Florian.Supper@s-itsolutions.at>>
wrote:
Hi Ian,
There is an redhat documentation available for dogtag version 8 and 9. They might help
you.
In my case, I mostly copy an existing profile and made the changes I’ve need in the copied
one.
BR
Florian
Von: Ian Koenig [mailto:iguy@ionsphere.org<mailto:iguy@ionsphere.org>]
Gesendet: Dienstag, 15. November 2016 19:57
An: Supper Florian 6342 sIT; Ian Koenig;
pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: Re: [Pki-users] SubjectAltName - how?
Thanks Supper. Is there a clear documentation on how to create a new certificate profile
that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw
caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there are no inputs for
me to fill in like the default caServerCert profile. Just some text about Cert profile
and description, then Inputs in bold and a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT
<Florian.Supper@s-itsolutions.at<mailto:Florian.Supper@s-itsolutions.at>>
wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name<http://policyset.ServerProfile.10.constraint.name>=No
Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name<http://policyset.ServerProfile.10.default.name>=User
Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] Im
Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
10:52 a.m.
Awesome.. thanks Florian. That was what I was missing.
Here are the steps I take now. As secondary question the redhat
documentation talks about the subjAltNameExtensionImpl that does more
detailed validation of the SAN entries. Do you know how to make that
work?
--- Steps to add SAN now:
1) Pki <admin options> ca-profile-show --output caServerSANCert.cfg --raw
caServerCert
2) Edit this and add in the following lines (make sure the # don't conflict)
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false
policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.10.default.name=User Supplied Extension Default
policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17
3) Update the line
a. profileId=caServerSANCert
b. desc= <Update it to be unique like adding with SAN to it>
c. name=<Update it to be unique and add in something with SAN>
d. policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10
4) Pki <admin options> ca-profile-add --raw caServerSANCert.cfg
5) Pki <admin options> ca-profile-find --size 60 (see options for more
things to look at)
a. Should see the new profile here now
6) Go to the Admin port of PKI and approve it (Agent Services)
a. Manage Certificate Profiles
b. Find the one with caServerSANCert and Approve it.
OR
Pki <admin options> ca-profile enable caServerSANCert
7) Go to the SSL End User Services and this is now a profile that can be
selected
Thanks again.
On Tue, 22 Nov 2016 at 04:20 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi Ian,
i’ve lost your last mail..
but I could remember what the question was..
You’ve copied the part I’ve send to you in your profile and tried to
enroll a cert..
But if you sign the cert the sans are not included..
Please have a look at this line in your profile..
policyset.serverCertSet.list=1,2,3,4,5,6,7,8
In this line the Number of the SAN extension part, which I’ve send to you
has to be included.. So add a “10” at the end of the line below. Restart
your ca service and try again..
If this does not work too, please send me your whole profile, and I will
test it in my testing environment..
Br
Florian
*Von:* Ian Koenig [mailto:iguy@ionsphere.org]
*Gesendet:* Freitag, 18. November 2016 06:28
*An:* Supper Florian 6342 sIT; Ian Koenig; pki-users(a)redhat.com
*Betreff:* Re: [Pki-users] SubjectAltName - how?
How do you modify your profile? I've followed the redhat documentation
and stuff doesn't work. As such I feel like I'm missing something based on
how you are talking.
How do you submit new requests? Through the Web UI or command line with
the pki command?
If via the WebUI does the agents page change when you change the profile
configurations?
Thanks
On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi Ian,
There is an redhat documentation available for dogtag version 8 and 9.
They might help you.
In my case, I mostly copy an existing profile and made the changes I’ve
need in the copied one.
BR
Florian
*Von:* Ian Koenig [mailto:iguy@ionsphere.org]
*Gesendet:* Dienstag, 15. November 2016 19:57
*An:* Supper Florian 6342 sIT; Ian Koenig; pki-users(a)redhat.com
*Betreff:* Re: [Pki-users] SubjectAltName - how?
Thanks Supper. Is there a clear documentation on how to create a new
certificate profile that is visible via the WebUI?
I tried this process:
1) pki -C client_password.txt -n caadmin ca-server-show --output
caServerSANCert.cfg --raw caServerCert
a) Add in the lines you specified above to caServerSANCert.cfg
b) Update the line profileID to be caServerSANCert
4) pki -C client_password.txt -n caadmin ca-profile-add --raw
caServerSANCert.cfg
5) Approve this new profile.
What happens when I attempt to issue a cert request via the WebUI, there
are no inputs for me to fill in like the default caServerCert profile.
Just some text about Cert profile and description, then Inputs in bold and
a Submit button.
Thanks
ian
On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <
Florian.Supper(a)s-itsolutions.at> wrote:
Hi,
You have to add the following lines into your certificate profile..
policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17
Then the SAN's will be added to the certificate.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com]
Im Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users(a)redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]
Hi all,
I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS
7 . 2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[ . . . ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names
[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com
[ . . . ]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
2951
days inactive
2959
days old
8 comments
2 participants
participants (2)
-
Ian Koenig -
Supper Florian 6342 sIT