Taking a quick look, it appears that you are missing a setting with "class_id"
in there.
Just a suggestion. Often, for simplicity, when creating a new profile, we just copy over
an old one and make the changes
needed to create the new one. This can help to make sure that important settings are
present.
----- Original Message -----
From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Monday, January 16, 2017 9:05:59 PM
Subject: Re: [Pki-users] SAN on Certificate
I just tried creating a new profile, and I got the following error:
[16/Jan/2017:20:57:44][localhost-startStop-1]: Start Profile Creation -
caServerCertSAN4 caEnrollImpl
com.netscape.cms.profile.common.CAEnrollProfile
[16/Jan/2017:20:57:44][localhost-startStop-1]: ProfileSubsystem: initing
com.netscape.cms.profile.common.CAEnrollProfile
[16/Jan/2017:20:57:44][localhost-startStop-1]: BasicProfile: start init
[16/Jan/2017:20:57:44][localhost-startStop-1]: WARNING, can't get default
plugin id!
[16/Jan/2017:20:57:44][localhost-startStop-1]:
java.lang.NullPointerException
java.lang.NullPointerException
at
com.netscape.cms.profile.common.BasicProfile.createProfilePolicy(BasicProfile.java:891)
at com.netscape.cms.profile.common.BasicProfile.init(BasicProfile.java:347)
at
com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:126)
at
com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:85)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:581)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1215)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1140)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1027)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5038)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5348)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[16/Jan/2017:20:57:44][localhost-startStop-1]: Done Profile Creation -
caServerCertSAN4
I made sure to add the following lines to the CS.cfg:
profile.caServerCertSAN4.class_id=caEnrollImpl
profile.caServerCertSAN4.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCertSAN4.cfg
I attached the profile on this email.
Any help would be great,
Rafael
On Fri, Jan 13, 2017 at 11:45 AM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
wrote:
> Thanks John I will give this a try tonight.
>
>
> On Fri, Jan 13, 2017 at 11:43 AM John Magne <jmagne(a)redhat.com> wrote:
>
>> OK:
>>
>>
>>
>> The reason to ask about GUI, is because this make it easier for us to
>> make sure
>>
>> the request has the info needed.
>>
>>
>>
>> Take a look at this one: /var/lib/pki-ca/profiles/ca/DomainController.cfg
>>
>>
>>
>> This profile has the default for 2 SANs as in this snippet.
>>
>>
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.class_id=
>> subjectAltNameExtDefaultImpl
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.name=Subject Alt
>> Name Constraint
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltNameExtCritical=false
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.
>> default.params.subjAltExtType_0=RFC822Name
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltExtPattern_0=$request.requestor_email$
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltExtGNEnable_0=true
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.
>> default.params.subjAltExtType_1=OtherName
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltExtGNEnable_1=true
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltExtSource_1=UUID4
>>
>> caUUIDdeviceCert.cfg:policyset.userCertSet.8.default.params.
>> subjAltNameNumGNs=2
>>
>>
>>
>>
>>
>> Note the NumGNs is set to 2. It also uses parameters from the GUI to
>> populate the values.
>>
>>
>>
>> If you have more non standard inputs you want to put in your profile, I
>> believe there is a user defined
>>
>> input that can be used. This way you can give it any id you want and the
>> profile can be told to get that
>>
>> particular value to put in place.
>>
>>
>>
>>
>>
>>
>>
>> ----- Original Message -----
>>
>> > From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>>
>> > To: "John Magne" <jmagne(a)redhat.com>
>>
>> > Cc: pki-users(a)redhat.com
>>
>> > Sent: Friday, January 13, 2017 10:39:54 AM
>>
>> > Subject: Re: [Pki-users] SAN on Certificate
>>
>> >
>>
>> > It's a GUI.
>>
>> >
>>
>> > Does it matter? Would it make a difference if I use OpenSSL to
>> generate
>>
>> > the CSR ?
>>
>> > On Fri, Jan 13, 2017 at 10:38 AM John Magne <jmagne(a)redhat.com>
wrote:
>>
>> >
>>
>> > > Yes, that is the idea.
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > If the code is able to pull info out of the request with those
id's,
>> as in
>>
>> > > the profile snippet,
>>
>> > >
>>
>> > > it will put them in the cert.
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > Might you let us know what kind of csr you are using? Is it something
>>
>> > > external, or are you using the gui?
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > ----- Original Message -----
>>
>> > >
>>
>> > > From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>>
>> > >
>>
>> > > To: "John Magne" <jmagne(a)redhat.com>
>>
>> > >
>>
>> > > Cc: pki-users(a)redhat.com
>>
>> > >
>>
>> > > Sent: Thursday, January 12, 2017 4:57:58 PM
>>
>> > >
>>
>> > > Subject: Re: [Pki-users] SAN on Certificate
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > On the CSR there are SAN input fields...would it get them from there
>> using
>>
>> > >
>>
>> > > the settings you stated below?
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > On Thu, Jan 12, 2017 at 4:53 PM John Magne <jmagne(a)redhat.com>
wrote:
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > > Hi:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > Not to sound like a broken record and say the same thing again,
but
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > I looked at this link you printed:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
https://access.redhat.com/documentation/en-US/Red_Hat_
>> Certificate_System/8.1/html/Admin_Guide/Certificate_and_
>> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > Note in there for the custom profile it has this setting:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > Then for each "index" it has some different settings
that determine
>> how
>>
>> > >
>>
>> > > > the info is gathered for that particular SAN, like this:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > > policyset.serverCertSet.9.default.params.
>> subjAltExtPattern_0=$request.requester_email$
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > and
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > > policyset.serverCertSet.9.default.params.
>> subjAltExtPattern_1=$request.SAN1$
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > Off the top of my head, I"m not sure where it's getting
those
>> "values"
>>
>> > >
>>
>> > > > from. I'd have to go try it myself.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > But to start with you might want to just configure your profile
in
>> this
>>
>> > >
>>
>> > > > kind of way, and then we can figure out
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > any problems with where the data is coming from.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > It may take a quick look at the code to see what is going on
there.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > thanks,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > jack
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > As a first test, if you are not providing the proper data for say
2
>> or 3
>>
>> > >
>>
>> > > > sans, I suspect that the final output may show that you tried
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > to set 3 sans but the data is null or something,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > thanks,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > jack
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > ----- Original Message -----
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > From: "Rafael Leiva-Ochoa"
<spawn(a)rloteck.net>
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > To: "John Magne" <jmagne(a)redhat.com>
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > Cc: pki-users(a)redhat.com
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > Sent: Thursday, January 12, 2017 3:38:11 PM
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > Subject: Re: [Pki-users] SAN on Certificate
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > Here is the last one I got...
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > "The patterns are defined, "hard-coded", as
part of the profile
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > configuration. Therefore the number of SANs for any given
profile
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > is fixed (if you are using the SubjectAltNameExtDefault
class).
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > Each pattern gets formatted using information available in
the
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > request. See the documentation linked below for a table of
the
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > variables you can include in these patterns.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > I cannot see a way to propagate arbitrary domain names,
other than
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > the CN (which is available as the
$request.req_subject_name.cn$
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > variable), into SAN names, via
SubjectAltNameExtDefault."
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > You also responded with the links I have on this email.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > The original email subject on the list was: "SAN Feild
in the MSCE
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > profile". I think you told me last time you were too
busy to
>> help.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > Thanks,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > R
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > On Thu, Jan 12, 2017 at 3:25 PM John Magne
<jmagne(a)redhat.com>
>> wrote:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > Yeah sure, it just forward it to the list.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > ----- Original Message -----
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > From: "Rafael Leiva-Ochoa"
<spawn(a)rloteck.net>
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > To: "John Magne" <jmagne(a)redhat.com>
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > Cc: pki-users(a)redhat.com
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > Sent: Thursday, January 12, 2017 3:08:50 PM
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > Subject: Re: [Pki-users] SAN on Certificate
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > I can send you the email that I got from the list?
Will this be
>>
>> > > good?
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > Thanks,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > R
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > On Thu, Jan 12, 2017 at 3:05 PM John Magne
<jmagne(a)redhat.com>
>>
>> > > wrote:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > Hi:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > Is there any way you can reproduce the confusing
answer you
>> got,
>>
>> > >
>>
>> > > > which
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > may
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > give us a head start?
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > ----- Original Message -----
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > From: "Rafael Leiva-Ochoa"
<spawn(a)rloteck.net>
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > To: pki-users(a)redhat.com
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Sent: Thursday, January 12, 2017 2:36:36 PM
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Subject: Re: [Pki-users] SAN on Certificate
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Any takers?
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > On Tue, Jan 10, 2017 at 4:35 PM Rafael
Leiva-Ochoa <
>>
>> > >
>>
>> > > > spawn(a)rloteck.net
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > wrote:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Hi Everyone,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > I am sorry for asking this question again,
but the last
>> time I
>>
>> > >
>>
>> > > > asked
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > it,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > I
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > was confused with the answer. I am trying to
create a
>>
>> > > "certificate
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > profile"
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > that will support 3 to 4 SAN (Subject
Alternative Names),
>> since
>>
>> > > the
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > current
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > profiles do not have support for this by
default. I was
>> trying to
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > duplicate
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > the "Manual Server Certificate
Enrollment" profile, and
>> adding
>>
>> > > SAN
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > support.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > I tried using this as a guild:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
https://access.redhat.com/documentation/en-US/Red_Hat_
>> Certificate_System/8.1/html/Admin_Guide/Certificate_and_
>> CRL_Extensions.html#Subject_Alternative_Name_Extension_Default
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > and
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
https://access.redhat.com/documentation/en-US/Red_Hat_
>> Certificate_System/8.1/html/Admin_Guide/Managing_Subject_
>> Names_and_Subject_Alternative_
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Names .html
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > This is how the profile looks like:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9.
constraint.class_id=
>> noConstraintImpl
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9.constraint. name
=No Constraint
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9. default.class_id=
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > subjectAltNameExtDefaultImpl
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9.default. name =
Subject
>> Alternative
>>
>> > > Name
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > Extension
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Default
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9. default.params.
>>
>> > >
>>
>> > > > subjAltExtGNEnable_0=true
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9. default.params.
>> subjAltExtPattern_0=
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9.
default.params.subjAltExtType_
>>
>> > > 0=DNSName
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9. default.params.
>>
>> > >
>>
>> > > > subjAltNameExtCritical=false
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > policyset.serverCertSet.9. default.params.
>> subjAltNameNumGNs=1
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > The CSR looks like this:
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > *Common Name :*
node1.example.com
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > * Subject Alternative Names :*
test.example.com ,
>>
>> > >
>>
>> > > >
test1.example.com ,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
test2.example.com
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > *Organization:* Test Corp
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > *Organization Unit:* IT Department
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > *Locality:* LA
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > *State:* OR
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > *Country:* US
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > I am doing to do this instead of using
wildcard certs.
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Thanks,
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Rafael
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
_______________________________________________
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Pki-users mailing list
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > > Pki-users(a)redhat.com
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > > >
https://www.redhat.com/mailman/listinfo/pki-users
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > > >
>>
>> > >
>>
>> > >
>>
>> >
>>
>>