Glad it helps.
Note in the context of IPA, the PKI / Dogtag profiles are now stored in the
LDAP server backend, so the procedure is different in FreeIPA 4.4.
If those changes are working fine in your environment, and if this may
benefit others, as puppet makes use of more PKI, I would propose to open a
RFE to add a new profile by default in the Dogtag project (so it can make
its way to FreeIPA), and/or document this in the wiki or on an article that
I can add to
https://access.redhat.com/ for the "Red Hat Certificate
System" product.
Thanks for any feedback,
M.
On Fri, Dec 9, 2016 at 1:50 AM, joris dedieu <joris.dedieu(a)gmail.com> wrote:
Hi Marc,
2016-12-09 1:05 GMT+01:00 Marc Sauton <msauton(a)redhat.com>:
> you could try to mofidy a profile for SSL server certificat enrollment:
>
> cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
> /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig
> vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
> ...snip...
> policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp
> ...snip...
> policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl
> policyset.serverCertSet.pp.constraint.name=Extension Constraint
> policyset.serverCertSet.pp.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.13
> policyset.serverCertSet.pp.constraint.params.extCritical=false
> policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl
> policyset.serverCertSet.pp.default.name=User Supplied Key Usage
Extension
> policyset.serverCertSet.pp.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.13
> policyset.serverCertSet.pp.default.params.userExtCritical=false
Excellent, it works like a charm ! I just changed
extensionConstraintImpl to noConstraintImpl so that the extensions are
not mandatory anymore. Here the complete puppet trusted facts
sequence. Useful to use DogTag (FreeIPA in my case) as an external
pki for Puppet.
Many thanks
Joris
policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid)
policyset.serverCertSet.pp1.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.1
policyset.serverCertSet.pp1.constraint.params.extCritical=false
policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid)
policyset.serverCertSet.pp1.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.1
policyset.serverCertSet.pp1.default.params.userExtCritical=false
policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID
(pp_instance_id)
policyset.serverCertSet.pp2.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.2
policyset.serverCertSet.pp2.constraint.params.extCritical=false
policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID
(pp_instance_id)
policyset.serverCertSet.pp2.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.2
policyset.serverCertSet.pp2.default.params.userExtCritical=false
policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name
(pp_image_name)
policyset.serverCertSet.pp3.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.3
policyset.serverCertSet.pp3.constraint.params.extCritical=false
policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp3.default.name=Puppet Node Image Name
(pp_image_name)
policyset.serverCertSet.pp3.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.3
policyset.serverCertSet.pp3.default.params.userExtCritical=false
policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key
(pp_preshared_key)
policyset.serverCertSet.pp4.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.4
policyset.serverCertSet.pp4.constraint.params.extCritical=false
policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key
(pp_preshared_key)
policyset.serverCertSet.pp4.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.4
policyset.serverCertSet.pp4.default.params.userExtCritical=false
policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center
Name (pp_cost_center)
policyset.serverCertSet.pp5.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.5
policyset.serverCertSet.pp5.constraint.params.extCritical=false
policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name
(pp_cost_center)
policyset.serverCertSet.pp5.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.5
policyset.serverCertSet.pp5.default.params.userExtCritical=false
policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name
(pp_product)
policyset.serverCertSet.pp6.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.6
policyset.serverCertSet.pp6.constraint.params.extCritical=false
policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp6.default.name=Puppet Node Product Name
(pp_product)
policyset.serverCertSet.pp6.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.6
policyset.serverCertSet.pp6.default.params.userExtCritical=false
policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name
(pp_project)
policyset.serverCertSet.pp7.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.7
policyset.serverCertSet.pp7.constraint.params.extCritical=false
policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp7.default.name=Puppet Node Project Name
(pp_project)
policyset.serverCertSet.pp7.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.7
policyset.serverCertSet.pp7.default.params.userExtCritical=false
policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp8.constraint.name=Puppet Node Application
Name (pp_application)
policyset.serverCertSet.pp8.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.8
policyset.serverCertSet.pp8.constraint.params.extCritical=false
policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp8.default.name=Puppet Node Application Name
(pp_application)
policyset.serverCertSet.pp8.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.8
policyset.serverCertSet.pp8.default.params.userExtCritical=false
policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name
(pp_service)
policyset.serverCertSet.pp9.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.9
policyset.serverCertSet.pp9.constraint.params.extCritical=false
policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp9.default.name=Puppet Node Service Name
(pp_service)
policyset.serverCertSet.pp9.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.9
policyset.serverCertSet.pp9.default.params.userExtCritical=false
policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name
(pp_employee)
policyset.serverCertSet.pp10.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.10
policyset.serverCertSet.pp10.constraint.params.extCritical=false
policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name
(pp_employee)
policyset.serverCertSet.pp10.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.10
policyset.serverCertSet.pp10.default.params.userExtCritical=false
policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by
Tag (pp_created_by)
policyset.serverCertSet.pp11.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.11
policyset.serverCertSet.pp11.constraint.params.extCritical=false
policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag
(pp_created_by)
policyset.serverCertSet.pp11.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.11
policyset.serverCertSet.pp11.default.params.userExtCritical=false
policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment
Name (pp_environment)
policyset.serverCertSet.pp12.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.12
policyset.serverCertSet.pp12.constraint.params.extCritical=false
policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name
(pp_environment)
policyset.serverCertSet.pp12.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.12
policyset.serverCertSet.pp12.default.params.userExtCritical=false
policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name
(pp_role)
policyset.serverCertSet.pp13.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp13.constraint.params.extCritical=false
policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role)
policyset.serverCertSet.pp13.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp13.default.params.userExtCritical=false
policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp14.constraint.name=Puppet Node Software
Version (pp_software_version)
policyset.serverCertSet.pp14.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.14
policyset.serverCertSet.pp14.constraint.params.extCritical=false
policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp14.default.name=Puppet Node Software Version
(pp_software_version)
policyset.serverCertSet.pp14.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.14
policyset.serverCertSet.pp14.default.params.userExtCritical=false
policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp15.constraint.name=Puppet Node Department
Name (pp_department)
policyset.serverCertSet.pp15.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.15
policyset.serverCertSet.pp15.constraint.params.extCritical=false
policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp15.default.name=Puppet Node Department Name
(pp_department)
policyset.serverCertSet.pp15.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.15
policyset.serverCertSet.pp15.default.params.userExtCritical=false
policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name
(pp_cluster)
policyset.serverCertSet.pp16.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.16
policyset.serverCertSet.pp16.constraint.params.extCritical=false
policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name
(pp_cluster)
policyset.serverCertSet.pp16.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.16
policyset.serverCertSet.pp16.default.params.userExtCritical=false
policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner
Name (pp_provisioner)
policyset.serverCertSet.pp17.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.17
policyset.serverCertSet.pp17.constraint.params.extCritical=false
policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name
(pp_provisioner)
policyset.serverCertSet.pp17.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.17
policyset.serverCertSet.pp17.default.params.userExtCritical=false
policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name
(pp_region)
policyset.serverCertSet.pp18.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.18
policyset.serverCertSet.pp18.constraint.params.extCritical=false
policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp18.default.name=Puppet Node Region Name
(pp_region)
policyset.serverCertSet.pp18.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.18
policyset.serverCertSet.pp18.default.params.userExtCritical=false
policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter
Name (pp_datacenter)
policyset.serverCertSet.pp19.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.19
policyset.serverCertSet.pp19.constraint.params.extCritical=false
policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name
(pp_datacenter)
policyset.serverCertSet.pp19.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.19
policyset.serverCertSet.pp19.default.params.userExtCritical=false
policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name
(pp_zone)
policyset.serverCertSet.pp20.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.20
policyset.serverCertSet.pp20.constraint.params.extCritical=false
policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone)
policyset.serverCertSet.pp20.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.20
policyset.serverCertSet.pp20.default.params.userExtCritical=false
policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name
(pp_network)
policyset.serverCertSet.pp21.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.21
policyset.serverCertSet.pp21.constraint.params.extCritical=false
policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp21.default.name=Puppet Node Network Name
(pp_network)
policyset.serverCertSet.pp21.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.21
policyset.serverCertSet.pp21.default.params.userExtCritical=false
policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp22.constraint.name=Puppet Node Security
Policy Name (pp_securitypolicy)
policyset.serverCertSet.pp22.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.22
policyset.serverCertSet.pp22.constraint.params.extCritical=false
policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy
Name (pp_securitypolicy)
policyset.serverCertSet.pp22.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.22
policyset.serverCertSet.pp22.default.params.userExtCritical=false
policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud
Platform Name (pp_cloudplatform)
policyset.serverCertSet.pp23.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.23
policyset.serverCertSet.pp23.constraint.params.extCritical=false
policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform
Name (pp_cloudplatform)
policyset.serverCertSet.pp23.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.23
policyset.serverCertSet.pp23.default.params.userExtCritical=false
policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp24.constraint.name=Puppet Node Application
Tier (pp_apptier)
policyset.serverCertSet.pp24.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.24
policyset.serverCertSet.pp24.constraint.params.extCritical=false
policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier
(pp_apptier)
policyset.serverCertSet.pp24.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.24
policyset.serverCertSet.pp24.default.params.userExtCritical=false
policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl
policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname
(pp_hostname)
policyset.serverCertSet.pp25.constraint.params.extOID=1.3.
6.1.4.1.34380.1.1.25
policyset.serverCertSet.pp25.constraint.params.extCritical=false
policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp25.default.name=Puppet Node Hostname
(pp_hostname)
policyset.serverCertSet.pp25.default.params.userExtOID=1.3.
6.1.4.1.34380.1.1.25
policyset.serverCertSet.pp25.default.params.userExtCritical=false
>
> restart the CA and apply a CSR to the modified profile that has a user
> supplied extension for that OID, and a value, they should then appear in
the
> X509v3 extensions of the issued certificate
>
> On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <joris.dedieu(a)gmail.com>
wrote:
>>
>> Hi list,
>> I'm currently trying to add some extensions (For puppet trusted
>>
factshttps://docs.puppet.com/puppet/latest/ssl_attributes_
extensions.html)
>> to my certificates. As far as I understand, I have to create / modify
>> a profile to do so. From the CSR, I can see the request extension
>>
>>
>> Requested Extensions:
>> 1.3.6.1.4.1.34380.1.1.13:
>> ..my_puppet_role
>> X509v3 Subject Alternative Name:
>>
>> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13
>> retrieve it's value in $request$ ? Is there something similar,
>> somewhere that I can use as an example ? a doc to read ?
>>
>> Many thanks
>> Joris
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/pki-users
>
>