8:58 a.m.
RHEL 5.8
Red Hat CS 8.1
I'm hoping this should be a relatively straight forward question and
others have run into something similar:
When generating a certificate, is it possible to dynamically include/not
include the Subject Alt Name field based on an LDAP parameter? When
looking at the certificate profile there's a "subjAltExtGNEnable"
parameter, but I don't believe that can be set to a request parameter,
like $request.includeSAN$ for example, based on the testing I've done.
Assuming that the "subjAltExtGNEnable" field must be static text,
perhaps there is another work around. If included, the Subject Alt Name
in this case would represent a user's full DN. If not included, the
request parameter could be left blank and the Subject Alt Name would be
empty. Here's a little snippet from the cert profile:
policyset.CSCertSet.7.constraint.class_id=noConstraintImpl
policyset.CSCertSet.7.constraint.name=No Constraint
policyset.CSCertSet.7.default.class_id=subjectAltNameExtDefaultImpl
policyset.CSCertSet.7.default.name=Subject Alternative Name Extension
Default
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_0=true
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_1=false
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_2=false
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_3=false
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_4=false
policyset.CSCertSet.7.default.params.subjAltExtPattern_0=$request.pkispo
nsordn$
policyset.CSCertSet.7.default.params.subjAltExtPattern_1=
policyset.CSCertSet.7.default.params.subjAltExtPattern_2=
policyset.CSCertSet.7.default.params.subjAltExtPattern_3=
policyset.CSCertSet.7.default.params.subjAltExtPattern_4=
policyset.CSCertSet.7.default.params.subjAltExtType_0=DirectoryName
policyset.CSCertSet.7.default.params.subjAltExtType_1=RFC822Name
policyset.CSCertSet.7.default.params.subjAltExtType_2=RFC822Name
policyset.CSCertSet.7.default.params.subjAltExtType_3=RFC822Name
policyset.CSCertSet.7.default.params.subjAltExtType_4=RFC822Name
policyset.CSCertSet.7.default.params.subjAltNameExtCritical=false
The issue that arises here is the CA fails with an IO exception from the
$request.pkisponsordn$ format. That value is a user DN, similar to
CN=FIRSTNAME.LASTNAME, OU=ORGANIZATION, OU=ORGANIZATION2, O=COUNTRY,
C=COUNTRYCODE. The CA's debug log shows the '=' and the ',' being
escaped by backslashes. The CA then fails to populate the Subject Alt
Name due to the following error:
SubjectAltNameExtDefault: populate java.io.IOException: Unknown AVA
keyword 'CN\'.
Is there a way to properly escape the user DN so it can be used in the
Subject Alt Name? Again, the ultimate goal being the user DN could be
populated or not. If populated, it is included as the Subject Alt Name.
If not populated, the Subject Alt Name is left blank when the
certificate is generated.
Thank you,
Ryan Millay
1:38 a.m.
Hello Ryan,
I tried something with
pki-ca-8.1.0-11
and could not see the subject DN escape exceptoin, may be the request
was formed differently, in my test enrollment form created by a profile
with this:
...
input.i4.class_id=genericInputImpl
input.i4.params.gi_display_name0=testmssan
input.i4.params.gi_param_enable0=true
input.i4.params.gi_param_name0=testmssan
input.i4.params.gi_num=1
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*
policyset.userCertSet.1.constraint.params.accept=true
policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.userCertSet.1.default.name=Subject Name Default
policyset.userCertSet.1.default.params.name=
policyset.userCertSet.1.default.params.dnpattern=CN=$request.testmssan$
policyset.userCertSet.1.default.params.ldap.enable=false
...
policyset.userCertSet.8.constraint.class_id=noConstraintImpl
policyset.userCertSet.8.constraint.name=No Constraint
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.userCertSet.8.default.name=Subject Alt Name Constraint
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameExtCritical=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.8.default.params.subjAltExtType_0=DirectoryName
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.testmssan$
...
So in the enrollment form I provided with
UID testmssan
...
Generic Input
testmssan: cn=testmssan,ou=people,dc=example,dc=com
And i got a cert issued with:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: yes
Value:
DirectoryName:
CN=testmssan,OU=people,DC=example,DC=com
Thanks,
M.
On 01/21/2013 06:58 AM, ryan.millay(a)gdc4s.com wrote:
RHEL 5.8
Red Hat CS 8.1
I'm hoping this should be a relatively straight forward question and
others have run into something similar:
When generating a certificate, is it possible to dynamically
include/not include the Subject Alt Name field based on an LDAP
parameter? When looking at the certificate profile there's a
"subjAltExtGNEnable" parameter, but I don't believe that can be set to
a request parameter, like $request.includeSAN$ for example, based on
the testing I've done.
Assuming that the "subjAltExtGNEnable" field must be static text,
perhaps there is another work around. If included, the Subject Alt
Name in this case would represent a user's full DN. If not included,
the request parameter could be left blank and the Subject Alt Name
would be empty. Here's a little snippet from the cert profile:
policyset.CSCertSet.7.constraint.class_id=noConstraintImpl
policyset.CSCertSet.7.constraint.name=No Constraint
policyset.CSCertSet.7.default.class_id=subjectAltNameExtDefaultImpl
policyset.CSCertSet.7.default.name=Subject Alternative Name Extension
Default
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_0=true
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_1=false
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_2=false
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_3=false
policyset.CSCertSet.7.default.params.subjAltExtGNEnable_4=false
policyset.CSCertSet.7.default.params.subjAltExtPattern_0=$request.pkisponsordn$
policyset.CSCertSet.7.default.params.subjAltExtPattern_1=
policyset.CSCertSet.7.default.params.subjAltExtPattern_2=
policyset.CSCertSet.7.default.params.subjAltExtPattern_3=
policyset.CSCertSet.7.default.params.subjAltExtPattern_4=
policyset.CSCertSet.7.default.params.subjAltExtType_0=DirectoryName
policyset.CSCertSet.7.default.params.subjAltExtType_1=RFC822Name
policyset.CSCertSet.7.default.params.subjAltExtType_2=RFC822Name
policyset.CSCertSet.7.default.params.subjAltExtType_3=RFC822Name
policyset.CSCertSet.7.default.params.subjAltExtType_4=RFC822Name
policyset.CSCertSet.7.default.params.subjAltNameExtCritical=false
The issue that arises here is the CA fails with an IO exception from
the $request.pkisponsordn$ format. That value is a user DN, similar to
CN=FIRSTNAME.LASTNAME, OU=ORGANIZATION, OU=ORGANIZATION2, O=COUNTRY,
C=COUNTRYCODE. The CA's debug log shows the '=' and the ',' being
escaped by backslashes. The CA then fails to populate the Subject Alt
Name due to the following error:
SubjectAltNameExtDefault: populate java.io.IOException: Unknown AVA
keyword 'CN\'.
Is there a way to properly escape the user DN so it can be used in the
Subject Alt Name? Again, the ultimate goal being the user DN could be
populated or not. If populated, it is included as the Subject Alt
Name. If not populated, the Subject Alt Name is left blank when the
certificate is generated.
Thank you,
Ryan Millay
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
4350
days inactive
4352
days old
1 comments
2 participants
participants (2)
-
Marc Sauton -
ryan.millay@gdc4s.com