Hi Marc,
2016-12-09 1:05 GMT+01:00 Marc Sauton <msauton(a)redhat.com>:
you could try to mofidy a profile for SSL server certificat
enrollment:
cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
/var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig
vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
...snip...
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp
...snip...
policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl
policyset.serverCertSet.pp.constraint.name=Extension Constraint
policyset.serverCertSet.pp.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp.constraint.params.extCritical=false
policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp.default.name=User Supplied Key Usage Extension
policyset.serverCertSet.pp.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp.default.params.userExtCritical=false
Excellent, it works like a charm ! I just changed
extensionConstraintImpl to noConstraintImpl so that the extensions are
not mandatory anymore. Here the complete puppet trusted facts
sequence. Useful to use DogTag (FreeIPA in my case) as an external
pki for Puppet.
Many thanks
Joris
policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid)
policyset.serverCertSet.pp1.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.1
policyset.serverCertSet.pp1.constraint.params.extCritical=false
policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid)
policyset.serverCertSet.pp1.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.1
policyset.serverCertSet.pp1.default.params.userExtCritical=false
policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID
(pp_instance_id)
policyset.serverCertSet.pp2.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.2
policyset.serverCertSet.pp2.constraint.params.extCritical=false
policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID
(pp_instance_id)
policyset.serverCertSet.pp2.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.2
policyset.serverCertSet.pp2.default.params.userExtCritical=false
policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name
(pp_image_name)
policyset.serverCertSet.pp3.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.3
policyset.serverCertSet.pp3.constraint.params.extCritical=false
policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp3.default.name=Puppet Node Image Name (pp_image_name)
policyset.serverCertSet.pp3.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.3
policyset.serverCertSet.pp3.default.params.userExtCritical=false
policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key
(pp_preshared_key)
policyset.serverCertSet.pp4.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.4
policyset.serverCertSet.pp4.constraint.params.extCritical=false
policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key
(pp_preshared_key)
policyset.serverCertSet.pp4.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.4
policyset.serverCertSet.pp4.default.params.userExtCritical=false
policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center
Name (pp_cost_center)
policyset.serverCertSet.pp5.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.5
policyset.serverCertSet.pp5.constraint.params.extCritical=false
policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name
(pp_cost_center)
policyset.serverCertSet.pp5.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.5
policyset.serverCertSet.pp5.default.params.userExtCritical=false
policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name
(pp_product)
policyset.serverCertSet.pp6.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.6
policyset.serverCertSet.pp6.constraint.params.extCritical=false
policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp6.default.name=Puppet Node Product Name (pp_product)
policyset.serverCertSet.pp6.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.6
policyset.serverCertSet.pp6.default.params.userExtCritical=false
policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name
(pp_project)
policyset.serverCertSet.pp7.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.7
policyset.serverCertSet.pp7.constraint.params.extCritical=false
policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp7.default.name=Puppet Node Project Name (pp_project)
policyset.serverCertSet.pp7.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.7
policyset.serverCertSet.pp7.default.params.userExtCritical=false
policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp8.constraint.name=Puppet Node Application
Name (pp_application)
policyset.serverCertSet.pp8.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.8
policyset.serverCertSet.pp8.constraint.params.extCritical=false
policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp8.default.name=Puppet Node Application Name
(pp_application)
policyset.serverCertSet.pp8.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.8
policyset.serverCertSet.pp8.default.params.userExtCritical=false
policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name
(pp_service)
policyset.serverCertSet.pp9.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.9
policyset.serverCertSet.pp9.constraint.params.extCritical=false
policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp9.default.name=Puppet Node Service Name (pp_service)
policyset.serverCertSet.pp9.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.9
policyset.serverCertSet.pp9.default.params.userExtCritical=false
policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name
(pp_employee)
policyset.serverCertSet.pp10.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.10
policyset.serverCertSet.pp10.constraint.params.extCritical=false
policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name
(pp_employee)
policyset.serverCertSet.pp10.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.10
policyset.serverCertSet.pp10.default.params.userExtCritical=false
policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by
Tag (pp_created_by)
policyset.serverCertSet.pp11.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.11
policyset.serverCertSet.pp11.constraint.params.extCritical=false
policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag
(pp_created_by)
policyset.serverCertSet.pp11.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.11
policyset.serverCertSet.pp11.default.params.userExtCritical=false
policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment
Name (pp_environment)
policyset.serverCertSet.pp12.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.12
policyset.serverCertSet.pp12.constraint.params.extCritical=false
policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name
(pp_environment)
policyset.serverCertSet.pp12.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.12
policyset.serverCertSet.pp12.default.params.userExtCritical=false
policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name (pp_role)
policyset.serverCertSet.pp13.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp13.constraint.params.extCritical=false
policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role)
policyset.serverCertSet.pp13.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp13.default.params.userExtCritical=false
policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp14.constraint.name=Puppet Node Software
Version (pp_software_version)
policyset.serverCertSet.pp14.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.14
policyset.serverCertSet.pp14.constraint.params.extCritical=false
policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp14.default.name=Puppet Node Software Version
(pp_software_version)
policyset.serverCertSet.pp14.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.14
policyset.serverCertSet.pp14.default.params.userExtCritical=false
policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp15.constraint.name=Puppet Node Department
Name (pp_department)
policyset.serverCertSet.pp15.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.15
policyset.serverCertSet.pp15.constraint.params.extCritical=false
policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp15.default.name=Puppet Node Department Name
(pp_department)
policyset.serverCertSet.pp15.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.15
policyset.serverCertSet.pp15.default.params.userExtCritical=false
policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name
(pp_cluster)
policyset.serverCertSet.pp16.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.16
policyset.serverCertSet.pp16.constraint.params.extCritical=false
policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name (pp_cluster)
policyset.serverCertSet.pp16.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.16
policyset.serverCertSet.pp16.default.params.userExtCritical=false
policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner
Name (pp_provisioner)
policyset.serverCertSet.pp17.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.17
policyset.serverCertSet.pp17.constraint.params.extCritical=false
policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name
(pp_provisioner)
policyset.serverCertSet.pp17.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.17
policyset.serverCertSet.pp17.default.params.userExtCritical=false
policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name (pp_region)
policyset.serverCertSet.pp18.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.18
policyset.serverCertSet.pp18.constraint.params.extCritical=false
policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp18.default.name=Puppet Node Region Name (pp_region)
policyset.serverCertSet.pp18.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.18
policyset.serverCertSet.pp18.default.params.userExtCritical=false
policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter
Name (pp_datacenter)
policyset.serverCertSet.pp19.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.19
policyset.serverCertSet.pp19.constraint.params.extCritical=false
policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name
(pp_datacenter)
policyset.serverCertSet.pp19.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.19
policyset.serverCertSet.pp19.default.params.userExtCritical=false
policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name (pp_zone)
policyset.serverCertSet.pp20.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.20
policyset.serverCertSet.pp20.constraint.params.extCritical=false
policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone)
policyset.serverCertSet.pp20.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.20
policyset.serverCertSet.pp20.default.params.userExtCritical=false
policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name
(pp_network)
policyset.serverCertSet.pp21.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.21
policyset.serverCertSet.pp21.constraint.params.extCritical=false
policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp21.default.name=Puppet Node Network Name (pp_network)
policyset.serverCertSet.pp21.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.21
policyset.serverCertSet.pp21.default.params.userExtCritical=false
policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp22.constraint.name=Puppet Node Security
Policy Name (pp_securitypolicy)
policyset.serverCertSet.pp22.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.22
policyset.serverCertSet.pp22.constraint.params.extCritical=false
policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy
Name (pp_securitypolicy)
policyset.serverCertSet.pp22.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.22
policyset.serverCertSet.pp22.default.params.userExtCritical=false
policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud
Platform Name (pp_cloudplatform)
policyset.serverCertSet.pp23.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.23
policyset.serverCertSet.pp23.constraint.params.extCritical=false
policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform
Name (pp_cloudplatform)
policyset.serverCertSet.pp23.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.23
policyset.serverCertSet.pp23.default.params.userExtCritical=false
policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp24.constraint.name=Puppet Node Application
Tier (pp_apptier)
policyset.serverCertSet.pp24.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.24
policyset.serverCertSet.pp24.constraint.params.extCritical=false
policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier
(pp_apptier)
policyset.serverCertSet.pp24.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.24
policyset.serverCertSet.pp24.default.params.userExtCritical=false
policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname (pp_hostname)
policyset.serverCertSet.pp25.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.25
policyset.serverCertSet.pp25.constraint.params.extCritical=false
policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp25.default.name=Puppet Node Hostname (pp_hostname)
policyset.serverCertSet.pp25.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.25
policyset.serverCertSet.pp25.default.params.userExtCritical=false
restart the CA and apply a CSR to the modified profile that has a user
supplied extension for that OID, and a value, they should then appear in the
X509v3 extensions of the issued certificate
On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <joris.dedieu(a)gmail.com> wrote:
>
> Hi list,
> I'm currently trying to add some extensions (For puppet trusted
>
factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html)
> to my certificates. As far as I understand, I have to create / modify
> a profile to do so. From the CSR, I can see the request extension
>
>
> Requested Extensions:
> 1.3.6.1.4.1.34380.1.1.13:
> ..my_puppet_role
> X509v3 Subject Alternative Name:
>
> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13
> retrieve it's value in $request$ ? Is there something similar,
> somewhere that I can use as an example ? a doc to read ?
>
> Many thanks
> Joris
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users