I've tried a variety ways to get this to go into the system and either I'm missing something obvious or there's something buggy going on. I figured out the test system that wasn't giving me inputs to fill in on the request was an older version 10.2.5. I've updated that system to 10.3.3.

* pki ca-profile-show --output caServerCert.cfg --raw caServerCert

* pki ca-profile-disable caServerCert

Edit the file and add in the following lines to the bottom of the profile:

[...---...]

policyset.serverCertSet.10.constraint.class_id=noConstraintImpl

policyset.serverCertSet.10.constraint.name=No Constraint

policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false

policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl

policyset.serverCertSet.10.default.name=User Supplied Extension Default

policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17

[...---...]

NOTE: I changed the policyset to match what the rest of the profile said in the default caServerCert profile from 10.3.3 install. From ServerProfile to serverCertSet.

* pki ca-profile-add caServerCert.cfg --raw

Then go to the WebUI and submit a request that has SAN entries in it. After I approve it, there are no SANs in the cert.

What am I missing?

Thanks

ian

On Tue, 15 Nov 2016 at 12:57 Ian Koenig <iguy@ionsphere.org> wrote:

Thanks Supper. Is there a clear documentation on how to create a new certificate profile that is visible via the WebUI?

I tried this process:

1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw caServerCert

a) Add in the lines you specified above to caServerSANCert.cfg

b) Update the line profileID to be caServerSANCert

4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg

5) Approve this new profile.

What happens when I attempt to issue a cert request via the WebUI, there are no inputs for me to fill in like the default caServerCert profile. Just some text about Cert profile and description, then Inputs in bold and a Submit button.

Thanks
ian

On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT <Florian.Supper@s-itsolutions.at> wrote:
Hi,
You have to add the following lines into your certificate profile..

policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name=No Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name=User Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17

Then the SAN's will be added to the certificate.

BR
Florian

-----Ursprüngliche Nachricht-----
Von: pki-users-bounces@redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users@redhat.com
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]

Hi all,

I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.

I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.

What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is

[ . . . ]
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names

[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com

[ . . . ]

This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?

Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users