Re: [Pki-users] SAN Feild in the MSCE profile
Hi:
I"m a bit swamped right now but look at this if not seen already:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
This has more specific info on how to set up subjectName and subjectAltName. There is a
link in that piece of document that points to the subjectAltName defaults specifically.
----- Original Message -----
From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
To: "John Magne" <jmagne(a)redhat.com>
Sent: Friday, November 6, 2015 11:01:02 PM
Subject: Re: SAN Feild in the MSCE profile
Here you go.
On Fri, Nov 6, 2015 at 5:47 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
wrote:
ok. I will run one tonight.
Thanks
On Fri, Nov 6, 2015 at 5:41 PM, John Magne <jmagne(a)redhat.com> wrote:
> If you could possibly give us the "debug" log, the failure could possibly
> be isolated more easily.
>
> ----- Original Message -----
> From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
> To: "John Magne" <jmagne(a)redhat.com>
> Cc: pki-users(a)redhat.com
> Sent: Friday, November 6, 2015 5:29:40 PM
> Subject: Re: SAN Feild in the MSCE profile
>
> Still not working:
>
> This is what I put on the new profile
>
> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
>
> policyset.serverCertSet.9.constraint.name=No Constraint
>
> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
>
> policyset.serverCertSet.9.default.name=Subject Alternative Name Extension
> Default
>
> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>
> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
>
> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
>
> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
>
> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>
>
> The CSR looks like this:
>
> *Common Name:* node1.example.com
>
> *Subject Alternative Names:* test.example.com, test1.example.com,
> test2.example.com
>
> *Organization:* Test Corp
>
> *Organization Unit:* IT Department
>
> *Locality:* LA
>
> *State:* OR
>
> *Country:* US
>
> On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
> wrote:
>
> > Thx, I will give that a try.
> >
> >
> > On Thursday, November 5, 2015, John Magne <jmagne(a)redhat.com> wrote:
> >
> >> You should be able to do this:
> >>
> >> First for info on profiles and how to make new ones start here:
> >>
> >>
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
> >>
> >>
> >>
> >> If you look in this directory:
> >>
> >> /var/lib/pki/pki-tomcat/ca/profiles/ca
> >>
> >> This is where the raw profile files are. Looking through these should
> >> provide an example of somebody using the subject alt name extension.
> >> Whatever happening there can be created in a new profile.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
> >> To: pki-users(a)redhat.com
> >> Sent: Thursday, November 5, 2015 12:52:38 PM
> >> Subject: [Pki-users] SAN Feild in the MSCE profile
> >>
> >> Hi Pki-Users,
> >>
> >> I am trying to create a cert using a CSR that has more then one CN
> using
> >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
> that
> >> it does not support a SAN Feild by default. Can I create a custom
> profile
> >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what
> is
> >> the process for doing that?
> >>
> >> Thanks,
> >>
> >> Rafael
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users(a)redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >>
> >
>