DogTag 1.3 and Subject Alternate Name
by Gaiseric Vandal
I have installed DogTag 1.3 Certificate Server (CA and RA) components on
Fedora Core 11.
I want to configure a server certificate with a Subject Alternate Name.
I used openssl to create a private key and a certificate signing request
on the server in question.
openssl genrsa -out server1.key -des3 1024
openssl req -new -key server1.key -out server.csr
I am prompted along the way to include an e-mail address and subject
alternate name. Both are permitted but optional in my openssl.cnf file.
I can look at the csr with
openssl req -in server.csr -text
By default, openssl by default recreates a req with the following line
Subject: C=US, ST=California, L=MyCity, O=MyCompany, OU=IT,
CN=server.company.com/subjectAltName=www.company.com/emailAddress=mymail@...
You can see that e-mail and SAN are part of the CN attribute.
I went to the "Certificate System RA Services Page"
(https://myserver:12890) - > SSL End Users Services -> Server Enrollment
-> Request Submission. I pasted the contents of the csr file into the
web page. The administrator (i.e. me) gets e-mail notification of a
certificate request, and follows the link to approve it. However if I
have included either e-mail or SAN the request will fail because the
subject name doesn't match.
CA: Request Rejected - Subject Name Not Matched
E=mymail(a)company.com,CN=server.company.com,OU=IT,O=My
Company,L=MyCity,ST=California,C=US
If I compare the dogtag error message to the original csr file I can see
that dogtag expects a different syntax for e-mail. Dogtag expects it
as a separate "E" attribute (It still seems to have translated the
attributes appropriately but then complains the subject doesn't
match.) I can work around this by either omitting e-mail in the csr
altogether or explicitly setting the subject attribute with the "openssl
req -subj"
-> openssl req -new -key server.key -out server.csr -subj
"/E=mymail(a)company.com,CN=server.company.com,OU=IT,O=My Company
Name,L=MyCity,ST=California,C=US"
Enter pass phrase for server.key:
Subject Attribute E has no known NID, skipped
->
However, I can't figure out how to make this work for the Subject
Alternate Name.
DogTag rejects the certificate with
CA: Request Rejected - Subject Name Not Matched E=mymail(a)company.com
,2.5.29.17=www.company.com,CN=server....
Is there a "NID" parameter than dogtag expects for SAN?
14 years, 1 month
PKI subsystem webservice APIs
by Shakthi Kannan
Hi,
Thanks for the Dogtag project. I have been able to install 389-ds and
dogtag-pki-ca on Fedora 13.
I am able to view the services through the browser. I would like to
know if there are any web service APIs or tutorials or documents that
are available to gives pointers on how to communicate with these
server subsystems via other servers or programs?
Appreciate any inputs in this regard,
Thanks!
SK
--
Shakthi Kannan
http://www.shakthimaan.com
14 years, 1 month