Thanks for the reply Fraser, I was wondering why the CSR SAN field was
being ignored on the SubjectAltNameExtDefault profile policy class.
However, I am a bit confused, you said: "Rather, it takes the
subjAltExPattern_N's specified (yours is empty, which is a problem) and
formats them." How do I make it "not" empty". Is this something I do
when I
approve the request on the DogTag CA web interface? How do I specify this?
I need the SAN to be verified when the web client (browser) checks the CN,
or the SAN.
Thanks again for you help....: )
Rafael
On Sun, Nov 8, 2015 at 2:48 PM, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote:
> Still not working:
>
> This is what I put on the new profile
>
> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
>
> policyset.serverCertSet.9.constraint.name=No Constraint
>
> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
>
> policyset.serverCertSet.9.default.name=Subject Alternative Name
Extension
> Default
>
> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>
> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
>
> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
>
> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
>
> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>
>
> The CSR looks like this:
>
> *Common Name:*
node1.example.com
>
> *Subject Alternative Names:*
test.example.com,
test1.example.com,
>
test2.example.com
>
> *Organization:* Test Corp
>
> *Organization Unit:* IT Department
>
> *Locality:* LA
>
> *State:* OR
>
> *Country:* US
>
The SubjectAltNameExtDefault profile policy class does not copy
altNames from the CSR. Rather, it takes the subjAltExPattern_N's
specified (yours is empty, which is a problem) and formats them.
You can reference various aspects of the request in the pattern.
See the documentation for more info:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
If you want to directly copy an extension value directly from the
CSR into the certificate (e.g. so the SAN request extension is used
in the certificate) you can do that too. This approach demands
caution because there is no validation of the extension value. See
the caIPAserviceCert profile for an example of how to do this for
SAN.
Cheers,
Fraser
> On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
> wrote:
>
> > Thx, I will give that a try.
> >
> >
> > On Thursday, November 5, 2015, John Magne <jmagne(a)redhat.com> wrote:
> >
> >> You should be able to do this:
> >>
> >> First for info on profiles and how to make new ones start here:
> >>
> >>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
> >>
> >>
> >>
> >> If you look in this directory:
> >>
> >> /var/lib/pki/pki-tomcat/ca/profiles/ca
> >>
> >> This is where the raw profile files are. Looking through these should
> >> provide an example of somebody using the subject alt name extension.
> >> Whatever happening there can be created in a new profile.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
> >> To: pki-users(a)redhat.com
> >> Sent: Thursday, November 5, 2015 12:52:38 PM
> >> Subject: [Pki-users] SAN Feild in the MSCE profile
> >>
> >> Hi Pki-Users,
> >>
> >> I am trying to create a cert using a CSR that has more then one CN
using
> >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
that
> >> it does not support a SAN Feild by default. Can I create a custom
profile
> >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what
is
> >> the process for doing that?
> >>
> >> Thanks,
> >>
> >> Rafael
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users(a)redhat.com
> >>
https://www.redhat.com/mailman/listinfo/pki-users
> >>
> >
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users