Hi,

 

related to RFC6125 ( Best practice checking server identities) i have to create a cert profile which adds the Common name from the subject into a SAN.

 

So far so good, this works now with this config.

 

policyset.cmcServerCert.10.constraint.class_id=noConstraintImpl

policyset. cmcServerCert.10.constraint.name=No Constraint

policyset. cmcServerCert.10.default.class_id=subjectAltNameExtDefaultImpl

policyset. cmcServerCert.10.default.name=Subject Alt Name Constraint

policyset. cmcServerCert.10.default.params.subjAltNameExtCritical=false

policyset. cmcServerCert.10.default.params.subjAltExtGNEnable=true

policyset. cmcServerCert.10.default.params.subjAltExtGNEnable_0=true

policyset. cmcServerCert.10.default.params.subjAltExtType_0=DNSName

policyset. cmcServerCert.10.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$

policyset. cmcServerCert.10.default.params.subjAltNameNumGNs=1

 

 

Now I have to add additional SANS if the user sends them in the request.

 

CSR part:

Requested Extensions:

            X509v3 Subject Alternative Name:

                DNS:mywebservice.example.com, DNS:mywebservicealias.example.com

 

 

With this config, it is possible to take the SANS out of the csr and bring that in the cert..

 

policyset. cmcServerCert.9.constraint.class_id=noConstraintImpl

policyset. cmcServerCert.9.constraint.name=No Constraint

policyset. cmcServerCert.9.constraint.subjAltNameExtCritical=false

policyset. cmcServerCert.9.default.class_id=userExtensionDefaultImpl

policyset. cmcServerCert.9.default.name=User Supplied Extension Default

policyset. cmcServerCert.9.default.params.userExtOID=2.5.29.17

 

 

The problem what I had is that I had to take the SANS out of the request and then ADD the cn out of the subjet as SAN too.

 

I’m not able to get this working.

 

Please help.

 

Thanks in advanced.

 

Br

florian