Re: [Pki-users] SubjectAltName - how?

Hi, You have to add the following lines into your certificate profile.. policyset.ServerProfile.10.constraint.class_id=noConstraintImpl policyset.ServerProfile.10.constraint.name=No Constraint policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl policyset.ServerProfile.10.default.name=User Supplied Extension Default policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 Then the SAN's will be added to the certificate. BR Florian -----Ursprüngliche Nachricht----- Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von Ian Koenig Gesendet: Montag, 14. November 2016 19:18 An: pki-users(a)redhat.com Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] Hi all, I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [ . . . ] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA : FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = (at)alt_names [ alt_names ] DNS . 1 = demo . myhome . com DNS . 2 = demo DNS . 3 = demo . prod . myhome . com [ . . . ] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users