SAN in internal SSL server certificate in pkispawn configuration step
community comments welcome.
On Fri, Mar 30, 2018 at 8:24 AM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
wrote:
Yes, Making this a default will make it much easier.
On Fri, Mar 30, 2018 at 8:14 AM Marc Sauton <msauton(a)redhat.com> wrote:
> Yes,sorry, I forgot to mention the profile used for the internal SSL
> server certificate at configuration needed to be copied
> from /usr/share/pki/ca/conf/serverCert.profile.exampleWithSAN
> Should we make this a default setting?
> Thanks,
> M.
>
> On Thu, Mar 29, 2018 at 10:05 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
> wrote:
>
>> Found the solution here...Thanks again!
>>
>>
https://www.redhat.com/archives/pki-devel/2015-April/msg00077.html
>>
>> On Thu, Mar 29, 2018 at 8:06 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>> wrote:
>>
>>> sending to alias also...
>>>
>>> ---------- Forwarded message ----------
>>> From: Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>>> Date: Thu, Mar 29, 2018 at 3:35 PM
>>> Subject: Re: [Pki-users] SAN for Launch page.
>>> To: Marc Sauton <msauton(a)redhat.com>
>>>
>>>
>>> It did not work. I am still getting SAN errors when using the Launch
>>> page. I viewed the Cert that was issued to the launch page, and it is still
>>> missing the SAN. Here is my ca.cfg:
>>>
>>> [CA]
>>>
>>> pki_admin_email=caadmin(a)test.com
>>>
>>> pki_admin_name=caadmin
>>>
>>> pki_admin_nickname=caadmin
>>>
>>> pki_admin_password=xxxxxxxx
>>>
>>> pki_admin_uid=caadmin
>>>
>>>
>>> pki_san_inject=True
>>>
>>>
pki_san_for_server_cert=dogtag-ca-root.test.com
>>>
>>>
>>> pki_client_database_password=xxxxxxxx
>>>
>>> pki_client_database_purge=False
>>>
>>> pki_client_pkcs12_password=xxxxxxxxxx
>>>
>>>
>>> pki_ds_base_dn=dc=test,dc=com
>>>
>>> pki_ds_database=pki-tomcat
>>>
>>> pki_ds_password=xxxxxxx
>>>
>>>
>>> pki_ca_signing_subject_dn=cn=TEST Root CA,ou=TEST Certification
>>> Authority,c=US
>>>
>>>
>>> Thanks,
>>>
>>> Rafael
>>>
>>> On Thu, Mar 29, 2018 at 2:50 PM, Rafael Leiva-Ochoa
<spawn(a)rloteck.net>
>>> wrote:
>>>
>>>> Thanks, I will give that a try.
>>>>
>>>> On Thu, Mar 29, 2018 at 12:57 PM, Marc Sauton <msauton(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Try to add to the pkispawn config file, for example:
>>>>> pki_san_inject=True
>>>>> pki_san_for_server_cert=ca01.example.com,ca02.example.com,c
>>>>>
a.example.com
>>>>>
>>>>> Note for the "non-internal" certificates, there is a way to
modify
>>>>> enrollment profiles to add a SAN, but a recent updated feature is
described
>>>>> in the page at
>>>>>
http://www.dogtagpki.org/wiki/PKI_10.4_Copy_CN_To_SAN
>>>>>
>>>>> Thanks,
>>>>> M.
>>>>>
>>>>> On Thu, Mar 29, 2018 at 11:42 AM, Rafael Leiva-Ochoa <
>>>>> spawn(a)rloteck.net> wrote:
>>>>>
>>>>>> Hi Everyone,
>>>>>>
>>>>>> I am trying to build a new CA, and I am using the ca.cfg file
to
>>>>>> create the CA, but when I create the CA, the SAN is missing from
the
>>>>>> website cert (:8443). I am trying to look for the right value to
put on the
>>>>>> ca.cfg file for the SAN, so the the launch page does not give me
SAN
>>>>>> errors. Here is what I found, but nothing relating to the SAN:
>>>>>>
>>>>>> [CA]
>>>>>> pki_admin_email=caadmin(a)example.com
>>>>>> pki_admin_name=caadmin
>>>>>> pki_admin_nickname=caadmin
>>>>>> pki_admin_password=Secret.123
>>>>>> pki_admin_uid=caadmin
>>>>>>
>>>>>> pki_client_database_password=Secret.123
>>>>>> pki_client_database_purge=False
>>>>>> pki_client_pkcs12_password=Secret.123
>>>>>>
>>>>>> pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
>>>>>> pki_ds_database=ca
>>>>>> pki_ds_password=Secret.123
>>>>>>
>>>>>> pki_security_domain_name=EXAMPLE
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> Rafael
>>>>>>
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>