Re: [Pki-users] DogTag 1.3 and Subject Alternate Name

On 08/31/2010 11:43 AM, Gaiseric Vandal wrote: > > I have installed DogTag 1.3 Certificate Server (CA and RA) components > on Fedora Core 11. > > I want to configure a server certificate with a Subject Alternate Name. > > > I used openssl to create a private key and a certificate signing > request on the server in question. > > openssl genrsa -out server1.key -des3 1024 > openssl req -new -key server1.key -out server.csr > > > I am prompted along the way to include an e-mail address and subject > alternate name. Both are permitted but optional in my openssl.cnf file. > > I can look at the csr with > openssl req -in server.csr -text > > > > > By default, openssl by default recreates a req with the following line > > Subject: C=US, ST=California, L=MyCity, O=MyCompany, OU=IT, > CN=server.company.com/subjectAltName=www.company.com/emailAddress=mymail@... > > > > > You can see that e-mail and SAN are part of the CN attribute. > > I went to the "Certificate System RA Services Page" > (https://myserver:12890) - > SSL End Users Services -> Server > Enrollment -> Request Submission. I pasted the contents of the csr > file into the web page. The administrator (i.e. me) gets e-mail > notification of a certificate request, and follows the link to > approve it. However if I have included either e-mail or SAN the > request will fail because the subject name doesn't match. > > CA: Request Rejected - Subject Name Not Matched > E=mymail(a)company.com,CN=server.company.com,OU=IT,O=My > Company,L=MyCity,ST=California,C=US > > > > > If I compare the dogtag error message to the original csr file I can > see that dogtag expects a different syntax for e-mail. Dogtag > expects it as a separate "E" attribute (It still seems to have > translated the attributes appropriately but then complains the > subject doesn't match.) I can work around this by either omitting > e-mail in the csr altogether or explicitly setting the subject > attribute with the "openssl req -subj" > > -> openssl req -new -key server.key -out server.csr -subj > "/E=mymail(a)company.com,CN=server.company.com,OU=IT,O=My Company > Name,L=MyCity,ST=California,C=US" > Enter pass phrase for server.key: > Subject Attribute E has no known NID, skipped > -> > > > However, I can't figure out how to make this work for the Subject > Alternate Name. > > DogTag rejects the certificate with > > CA: Request Rejected - Subject Name Not Matched E=mymail(a)company.com > ,2.5.29.17=www.company.com,CN=server.... > For this error, if you enroll for a user cert, see the CA profile /var/lib/pki-ca/profiles/ca/caDualRAuserCert.cfg and change the default configuration for policyset.userCertSet.1.constraint.params.pattern=.*UID=.* to match your needs > > Is there a "NID" parameter than dogtag expects for SAN? > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users >