On Fri, May 05, 2017 at 02:24:26PM +0200, Supper Florian 6342 sIT wrote:
Hi,
related to RFC6125 ( Best practice checking server identities) i have to create a cert
profile which adds the Common name from the subject into a SAN.
So far so good, this works now with this config.
policyset.cmcServerCert.10.constraint.class_id=noConstraintImpl
policyset. cmcServerCert.10.constraint.name=No Constraint
policyset. cmcServerCert.10.default.class_id=subjectAltNameExtDefaultImpl
policyset. cmcServerCert.10.default.name=Subject Alt Name Constraint
policyset. cmcServerCert.10.default.params.subjAltNameExtCritical=false
policyset. cmcServerCert.10.default.params.subjAltExtGNEnable=true
policyset. cmcServerCert.10.default.params.subjAltExtGNEnable_0=true
policyset. cmcServerCert.10.default.params.subjAltExtType_0=DNSName
policyset.
cmcServerCert.10.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$
policyset. cmcServerCert.10.default.params.subjAltNameNumGNs=1
Now I have to add additional SANS if the user sends them in the request.
CSR part:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:mywebservice.example.com,
DNS:mywebservicealias.example.com
With this config, it is possible to take the SANS out of the csr and bring that in the
cert..
policyset. cmcServerCert.9.constraint.class_id=noConstraintImpl
policyset. cmcServerCert.9.constraint.name=No Constraint
policyset. cmcServerCert.9.constraint.subjAltNameExtCritical=false
policyset. cmcServerCert.9.default.class_id=userExtensionDefaultImpl
policyset. cmcServerCert.9.default.name=User Supplied Extension Default
policyset. cmcServerCert.9.default.params.userExtOID=2.5.29.17
The problem what I had is that I had to take the SANS out of the request and then ADD the
cn out of the subjet as SAN too.
I'm not able to get this working.
Please help.
Thanks in advanced.
Br
florian
Hi Florian,
In the 10.4 release, we added a new profile component specifically
for adding the CN (if it looks like a DNS name) to the SAN extension
(creating it if necessary). It is called CommonNameToSANDefault.
See
https://bugzilla.redhat.com/show_bug.cgi?id=1429492 for more
details.
Thanks,
Fraser