On 03/20/2012 06:54 AM, Riccardo Brunetti wrote:
Dear pki-users.
I'm trying to setup a pki-ca
instance to produce X509 certificates which include a
Subject Alternative Name Extension with the following
attributes:
Criticality = not critical
Type = RFC822Name
Value = the email of the requestor.
I'm using the Signed
CMC-Authenticated User Certificate Enrollment profile and
this is the relevant section of my
/var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:
policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=Extension
Constraint
policyset.cmcUserCertSet.8.constraint.params.extCritical=false
policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.cmcUserCertSet.8.default.name=Subject
Alternative Name Extension Default
policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1
The input certificate request is
generated using certutil and CMCEnroll and the command
used is the following:
certutil -R -g 2048 -s
"<the-subject>" -7"<the-requestor-email>"
-d<a-local-dir> ……
The certificate is generated, but
the extension is not populated with the email address and
I always get:
Identifier: Subject Alternative Name
- 2.5.29.17
Critical: no
Value:
RFC822Name:
$request.requestor_email$
Hello,
In short, the email is not being looked at because
$request.requestor_email$ is created through the WebUI
through an input box (Requestor Email). See [1] for some
more variables. You may want to configure the
caFullCMCUserCert to copy all subjAltNames in the input to
the output certificate using the User Supplied Extension
Default (with 2.5.29.17 as the argument):
"This default populates a User-Supplied Extension
(2.5.29.17) to the request."
Josh
[1]
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users