Il 20/03/12 12 15:27, Riccardo Brunetti ha scritto:

Thanks Joshua for the prompt reply and answer.
I used the User Supplied Extension Default and it works.

Thank you very much again

Best Regards
Riccardo

Riccardo Brunetti
INFN-Torino
Tel: +390116707295




On 20/mar/2012 12, at 12:29, Joshua Roys wrote:

On 03/20/2012 06:54 AM, Riccardo Brunetti wrote:

Dear pki-users.

I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes:

Criticality = not critical
Type = RFC822Name
Value = the email of the requestor.

I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:

policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=Extension Constraint
policyset.cmcUserCertSet.8.constraint.params.extCritical=false
policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default
policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1

The input certificate request is generated using certutil and CMCEnroll and the command used is the following:

certutil -R -g 2048 -s "<the-subject>" -7"<the-requestor-email>" -d<a-local-dir>  ……

The certificate is generated, but the extension is not populated with the email address and I always get:

Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: no
                    Value:
                        RFC822Name: $request.requestor_email$


Hello,

In short, the email is not being looked at because $request.requestor_email$ is created through the WebUI through an input box (Requestor Email).  See [1] for some more variables.  You may want to configure the caFullCMCUserCert to copy all subjAltNames in the input to the output certificate using the User Supplied Extension Default (with 2.5.29.17 as the argument):
"This default populates a User-Supplied Extension (2.5.29.17) to the request."

Josh

[1] http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

Dear Pki-users.
I'm having the same problem when trying to generate user certificates using the web user interface provided by the RA subsystem.
In short, when I request a user certificate using the "User Enrollment" link in the RA web interface, I'm presented a form in which I enter the UID, Full Name, Site ID and email.
The certificate which is produced after the RA agent approves the request contains again an extension like:

Identifier: Subject Alternative Name - 2.5.29.17
                     Critical: no
                     Value:
                         RFC822Name: $request.requestor_email$

The email is contained in the DN of the certificate, which is not what I want.
I tried to modify the profile caDualRAuserCert, changing the policy 8 as Josh suggested above, but the answer is that the extension is not found.

Do you have some suggestions?

Thanks a lot
Riccardo
-- 
-------------------
Riccardo Brunetti
INFN - Torino
Tel: +390116707295
Skype: rbrunetti
-------------------