Hi,
I've implemented support for automatically creating a DNS
SUBJECT_ALT_NAME for certificates with a CN containing a host name.
I've set the DEFAULT_SUBJECT_ALT_NAME variable to "Email,DNS" in my
servers/ra.conf and servers/ca.conf and made the following change to sub
crypto_get_csr_subject_alt_name in crypto-utils.lib:
=== modified file
'openca/trunk/openca-base/src/common/lib/functions/crypto-utils.lib'
--- openca/trunk/openca-base/src/common/lib/functions/crypto-utils.lib
2009-04-21 15:27:23 +0000
+++ openca/trunk/openca-base/src/common/lib/functions/crypto-utils.lib
2009-04-22 13:37:08 +0000
@@ -833,6 +833,11 @@
$csr->getParsed()->{DN_HASH}->{EMAILADDRESS})
{
$subject_alt_name =
"email:".$csr->getParsed()->{DN_HASH}->{EMAILADDRESS}[0];
+ }
+ elsif ( ($default_subject_alt_name =~ /DNS/i) and
+ $csr->getParsed()->{DN_HASH}->{CN}[0] =~
/^[a-z0-9-]+(\.[a-z0-9-]+)+$/i)
+ {
+ $subject_alt_name =
"DNS:".$csr->getParsed()->{DN_HASH}->{CN}[0];
} else {
return "";
}
So basically, if DEFAULT_SUBJECT_ALT_NAME contains "DNS" and the first
CN looks a bit like a fully-qualified domain name it will set the
subject_alt_name.
Has anyone done this before? Any sample code?
What I'd really like is for the DEFAULT_SUBJECT_ALT_NAME to be chosen
based on the profile of the request (so "Server" gets "DNS" and "User"
gets "email", for example).
I also noticed that the automatically created subject_alt_name is not
shown in the editCSR view: it looks like this has its own code for
getting the s_a_n from the CSR: perhaps this should be modified to use
common code from crypto-utils.lib.
Perhaps the automatically generated subject_alt_name should be added to
the CSR when the request is originally received, rather than adding it
in "viewCSR" (should a "view" command really modify a request?!) Then it
would be available for editing in editCSR.
Also, it's not clear to me if the the auto-gen'd s_a_n is actually
included in the signed request sent from the RA to the CA: I suspect not.
Any suggestions or comments would be appreciated.
Kind regards,
David
--
Dr David O'Callaghan
Research Fellow - Grid-Ireland - e-INIS - Computer Architecture & Grid
School of Computer Science & Statistics,
Trinity College, Dublin 2, Ireland Telephone: +353 1 896 1720
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
