I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes:
Criticality = not critical
Type = RFC822Name
Value = the email of the requestor.
I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:
policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default
The input certificate request is generated using certutil and CMCEnroll and the command used is the following:
certutil -R -g 2048 -s "<the-subject>" -7 "<the-requestor-email>" -d <a-local-dir> ……
The certificate is generated, but the extension is not populated with the email address and I always get:
Identifier: Subject Alternative Name - 220.127.116.11
These are the installed packages:
Does anybody have some suggestion on how to solve this issue? Any input would be very appreciated.
The Dogtag team is pleased to announce the availability of an Alpha
Release of the Dogtag 10.0 code.
This release contains the following features:
1. Extension of the functionality of the DRM to store and retrieve
symmetric keys and passphrases,
rather than only asymmetric keys. This feature allows the DRM to be
used as a secure
vault-like storage for essentially any sensitive data. The data is
stored using the same
secure FIPS-compliant storage mechanism used to store PKI keys.
2. The new DRM functionality is exposed through a new REST interface,
provided by the RESTEasy
framework. This provides an intuitive mechanism for writing clients
to the interface. Both
Java (using the RESTEasy client proxy framework) and Python clients
have been coded. The
server uses standard Java libraries to generate and parse XML or
JSON input and output data.
3. Extracted authentication and authorization code from the individual
servlets into a standard
Tomcat authentication realm. This realm has been configured to
require client certificate
authentication, and is being used to secure the new DRM REST
interface. In the future, this
authentication realm could be extended to include other kinds of
authentication (such as
Kerberos). This is part of a push to refactor the code to expose
the core business
functionality in the servlets, while extracting the ancillary tasks
authorization, XML parsing and generation, etc.) and using standard
methods and libraries to
accomplish these tasks.
4. Enhanced Java subsystems so that they could connect to the internal
database using a
non-directory manager user, that is authenticated using client
authentication. This resolves a
number of issues with LDAP operations ignoring search limits. In
addition, some changes have
been made to allow integrating the Dogtag database with other
systems such as IPA.
5. A new package pki-deploy contains the initial framework for a
installer/de-installer (pkispawn/pkidestroy) that will be used to
install and configure a
Dogtag instance. This will ultimately replace the pki-setup
(pkicreate, pkidestroy) package, and the pki-silent instance
configuration (pkisilent) package.
6. Much of the focus of this release was on cleaning up and modernizing
the Dogtag source code.
* Dogtag source code has been moved to git.
* Java coding standards have been revised - and the code has been
reformatted to match those
* Initially, Eclipse reported about 13000 warnings in the dogtag
code. Those have been reduced
to close to 2400. This included removing dead and unused code,
replacing calls to deprecated
functions and replacing raw collections with type-safe generics.
NOTE: These numbers currently exclude console code.
* OSUtil is a package that has certain utilities that were not
available when the Dogtag code
was originally written. These utilities are now available in
libraries - and so this package has been eliminated entirely.
* Improved handling of short and long lived threads which allow
threads to exit gracefully on
The builds can be found at the following links:
- Fedora 16 (32-bit i686)
- Fedora 16 (64-bit x86_64)
- Fedora 16 (Source)
- Fedora 17 (32-bit i686)
- Fedora 17 (64-bit x86_64)
- Fedora 17 (Source)