Re: [Pki-users] Modify Certificate Profies - include SubjectAltName

I have succeeded adding the SubjectAltName extension - it turns out the Policy settings in the DogTac CA is set to capture the "Requestor Email" field while the Subject's Email field is the value that go into the 'E=' part of the DN! Is this by "intend" or can/should the Profile file(s) be modified to guarantee the email values in the DN and the SubjectAltName cannot be different (i.e. abounding a typical user-introduced error). Ebbe @ SPYRUS

"This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: Marc Sauton [mailto:msauton@redhat.com] Sent: Wednesday, April 30, 2008 10:17 AM To: Ebbe Hansen Cc: pki-users(a)redhat.com Subject: Re: [Pki-users] Modify Certificate Profies - include SubjectAltName If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg has policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ estor_email$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true and the enrollment request has an e-mail, the subject alt name extension field should be correctly initialized upon certificate issuance. You may want to turn on some debug in CS.cfg debug.enabled=true debug.level=0 and see your debug log for more details. M. It depends how the request hadEbbe Hansen wrote: > Looking at the 'CAUserCert.cfg' profile (first profile on the WEB > Agent profile-list) it appears it should trigger the inclusion of the > "SubjectAltName" extension. I have not been successful generating any > certicites where the SubjectAltName extension is included! > > In the Agents display the SubjectAltName is listed as 'Null' - even > after editing the 'Null' to the desired RFC822 value, the issued > certificate always comes without any SubjectAtltName extension? > > What can I do to get the CA to include the SubjectAltName extension? I > > am always specifying an email value in the request field! > > Ebbe > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or > exempt from disclosure under applicable law. These materials are > intended only for the use of the intended recipient. If you are not > the intended recipient of this electronic message, you are hereby > notified that any use of this message is strictly prohibited. Delivery > > of this message to any person other than the intended recipient shall > not constitute any waiver of any privilege. If you have received this > message in error, please delete this message from your system and > notify the sender immediately. Thank you." > > > ------------------------------------------------------------------------ > *From:* pki-users-bounces(a)redhat.com > [mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris > *Sent:* Wednesday, April 09, 2008 10:10 PM > *To:* pki-users(a)redhat.com > *Subject:* Re: [Pki-users] Modify Certificate Profies > > Thanks. That worked. > > On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com > <mailto:cfu@redhat.com>> wrote: > > Profiles can be configured in <Dogtag install root>/profiles/ca. If > you add your own new profiles, you need to modify <Dogtag install > root>//conf/CS.cfg "profile.list" to contain the new profile name, and > > add the corresponding "class_id" and "config" (see the existing > entries in CS.cfg as example), and restart the CA. > > In addition, Dogtag provides flexible plugin infrastructure that > allows people to customize various areas. Profile is one of them. > The standard profile related polugins code is in > pki/base/common/src/com/netscape/cms/profile/. That's for advanced > users who know what they are doing. Make sure the certs produced still > > comply. > > hope this helps. > Christina > > Chris wrote: > > > Sorry, hit the send by mistake.... > > I've succesfully installed Dogtag. The documentation was clear and I > didn't have any issues. > My question is in regards to customizing certificate profiles. In the > current CA environment I manager, I deal with customizing profiles. Is > > there a way to create customized certificate profiles? > The fields which apply are: > CertificatePolicies > - Policy Identifier > - User Notice with custom text > ExtendedKeyUsage > - New Key Usage OID > Also, in one profile, we've created a new field that programically > ties to the EKU > > On our current CA software, a config file is modified to customize > profiles. Also there is some DER encoding required to convert the > appropriate text. > > Is this feature available? > > > ------------------------------------------------------------------------ > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> > https://www.redhat.com/mailman/listinfo/pki-users > > > ------------------------------------------------------------------------ > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users