OK:
The reason to ask about GUI, is because this make it easier for us to make sure
the request has the info needed.
Take a look at this one: /var/lib/pki-ca/profiles/ca/DomainController.cfg
This profile has the default for 2 SANs as in this snippet.
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject Alt Name Constraint
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtType_1=OtherName
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4
caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.subjAltNameNumGNs=2
Note the NumGNs is set to 2. It also uses parameters from the GUI to populate the values.
If you have more non standard inputs you want to put in your profile, I believe there is a
user defined
input that can be used. This way you can give it any id you want and the profile can be
told to get that
particular value to put in place.
----- Original Message -----
From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Friday, January 13, 2017 10:39:54 AM
Subject: Re: [Pki-users] SAN on Certificate
It's a GUI.
Does it matter? Would it make a difference if I use OpenSSL to generate
the CSR ?
On Fri, Jan 13, 2017 at 10:38 AM John Magne <jmagne(a)redhat.com> wrote:
> Yes, that is the idea.
>
>
>
> If the code is able to pull info out of the request with those id's, as in
> the profile snippet,
>
> it will put them in the cert.
>
>
>
>
>
> Might you let us know what kind of csr you are using? Is it something
> external, or are you using the gui?
>
>
>
>
>
>
>
> ----- Original Message -----
>
> From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>
> To: "John Magne" <jmagne(a)redhat.com>
>
> Cc: pki-users(a)redhat.com
>
> Sent: Thursday, January 12, 2017 4:57:58 PM
>
> Subject: Re: [Pki-users] SAN on Certificate
>
>
>
> On the CSR there are SAN input fields...would it get them from there using
>
> the settings you stated below?
>
>
>
> On Thu, Jan 12, 2017 at 4:53 PM John Magne <jmagne(a)redhat.com> wrote:
>
>
>
> > Hi:
>
> >
>
> >
>
> >
>
> > Not to sound like a broken record and say the same thing again, but
>
> >
>
> > I looked at this link you printed:
>
> >
>
> >
>
> >
>
> >
>
> >
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
>
> >
>
> >
>
> >
>
> > Note in there for the custom profile it has this setting:
>
> >
>
> >
>
> >
>
> > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4
>
> >
>
> >
>
> >
>
> > Then for each "index" it has some different settings that determine
how
>
> > the info is gathered for that particular SAN, like this:
>
> >
>
> >
>
> >
>
> > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>
> >
>
> >
>
> >
>
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$
>
> >
>
> >
>
> >
>
> > and
>
> >
>
> >
>
> >
>
> > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true
>
> >
>
> >
> policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Off the top of my head, I"m not sure where it's getting those
"values"
>
> > from. I'd have to go try it myself.
>
> >
>
> > But to start with you might want to just configure your profile in this
>
> > kind of way, and then we can figure out
>
> >
>
> > any problems with where the data is coming from.
>
> >
>
> >
>
> >
>
> > It may take a quick look at the code to see what is going on there.
>
> >
>
> >
>
> >
>
> > thanks,
>
> >
>
> > jack
>
> >
>
> >
>
> >
>
> > As a first test, if you are not providing the proper data for say 2 or 3
>
> > sans, I suspect that the final output may show that you tried
>
> >
>
> > to set 3 sans but the data is null or something,
>
> >
>
> >
>
> >
>
> > thanks,
>
> >
>
> > jack
>
> >
>
> >
>
> >
>
> > ----- Original Message -----
>
> >
>
> > > From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>
> >
>
> > > To: "John Magne" <jmagne(a)redhat.com>
>
> >
>
> > > Cc: pki-users(a)redhat.com
>
> >
>
> > > Sent: Thursday, January 12, 2017 3:38:11 PM
>
> >
>
> > > Subject: Re: [Pki-users] SAN on Certificate
>
> >
>
> > >
>
> >
>
> > > Here is the last one I got...
>
> >
>
> > >
>
> >
>
> > > "The patterns are defined, "hard-coded", as part of the
profile
>
> >
>
> > > configuration. Therefore the number of SANs for any given profile
>
> >
>
> > > is fixed (if you are using the SubjectAltNameExtDefault class).
>
> >
>
> > > Each pattern gets formatted using information available in the
>
> >
>
> > > request. See the documentation linked below for a table of the
>
> >
>
> > > variables you can include in these patterns.
>
> >
>
> > >
>
> >
>
> > > I cannot see a way to propagate arbitrary domain names, other than
>
> >
>
> > > the CN (which is available as the $request.req_subject_name.cn$
>
> >
>
> > > variable), into SAN names, via SubjectAltNameExtDefault."
>
> >
>
> > >
>
> >
>
> > > You also responded with the links I have on this email.
>
> >
>
> > >
>
> >
>
> > > The original email subject on the list was: "SAN Feild in the MSCE
>
> >
>
> > > profile". I think you told me last time you were too busy to help.
>
> >
>
> > >
>
> >
>
> > > Thanks,
>
> >
>
> > >
>
> >
>
> > > R
>
> >
>
> > > On Thu, Jan 12, 2017 at 3:25 PM John Magne <jmagne(a)redhat.com>
wrote:
>
> >
>
> > >
>
> >
>
> > > > Yeah sure, it just forward it to the list.
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > > ----- Original Message -----
>
> >
>
> > > >
>
> >
>
> > > > From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>
> >
>
> > > >
>
> >
>
> > > > To: "John Magne" <jmagne(a)redhat.com>
>
> >
>
> > > >
>
> >
>
> > > > Cc: pki-users(a)redhat.com
>
> >
>
> > > >
>
> >
>
> > > > Sent: Thursday, January 12, 2017 3:08:50 PM
>
> >
>
> > > >
>
> >
>
> > > > Subject: Re: [Pki-users] SAN on Certificate
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > > I can send you the email that I got from the list? Will this be
> good?
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > > Thanks,
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > > R
>
> >
>
> > > >
>
> >
>
> > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne <jmagne(a)redhat.com>
> wrote:
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > > > > Hi:
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > Is there any way you can reproduce the confusing answer you
got,
>
> > which
>
> >
>
> > > > may
>
> >
>
> > > >
>
> >
>
> > > > > give us a head start?
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > ----- Original Message -----
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > From: "Rafael Leiva-Ochoa"
<spawn(a)rloteck.net>
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > To: pki-users(a)redhat.com
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Subject: Re: [Pki-users] SAN on Certificate
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Any takers?
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa <
>
> > spawn(a)rloteck.net
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > wrote:
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Hi Everyone,
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > I am sorry for asking this question again, but the last
time I
>
> > asked
>
> >
>
> > > > it,
>
> >
>
> > > >
>
> >
>
> > > > > I
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > was confused with the answer. I am trying to create a
> "certificate
>
> >
>
> > > >
>
> >
>
> > > > > profile"
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > that will support 3 to 4 SAN (Subject Alternative Names),
since
> the
>
> >
>
> > > >
>
> >
>
> > > > > current
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > profiles do not have support for this by default. I was
trying to
>
> >
>
> > > >
>
> >
>
> > > > > duplicate
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > the "Manual Server Certificate Enrollment"
profile, and adding
> SAN
>
> >
>
> > > >
>
> >
>
> > > > > support.
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > I tried using this as a guild:
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > and
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Names .html
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > This is how the profile looks like:
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. constraint.class_id=
noConstraintImpl
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9.constraint. name =No Constraint
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. default.class_id=
>
> >
>
> > > > subjectAltNameExtDefaultImpl
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9.default. name = Subject
Alternative
> Name
>
> >
>
> > > >
>
> >
>
> > > > > Extension
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Default
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. default.params.
>
> > subjAltExtGNEnable_0=true
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. default.params.
subjAltExtPattern_0=
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. default.params.subjAltExtType_
> 0=DNSName
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. default.params.
>
> > subjAltNameExtCritical=false
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > policyset.serverCertSet.9. default.params.
subjAltNameNumGNs=1
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > The CSR looks like this:
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > *Common Name :*
node1.example.com
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > * Subject Alternative Names :*
test.example.com ,
>
> >
test1.example.com ,
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
test2.example.com
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > *Organization:* Test Corp
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > *Organization Unit:* IT Department
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > *Locality:* LA
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > *State:* OR
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > *Country:* US
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > I am doing to do this instead of using wildcard certs.
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Thanks,
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Rafael
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > _______________________________________________
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Pki-users mailing list
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > > Pki-users(a)redhat.com
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > > >
https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > > >
>
> >
>
> > > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> >
>
>