Hi Oliver,

On Freitag, 16. September 2016 12:54:44 CEST Oliver Welter wrote:
> > First things we're targeting:
> > - in the SAN field we'd  like to change the input fields (allow ipv6
> > addresses...)
> Thats easy - have a look at the profile definition in the
> realm/ca-one/profile folder, in the "ui -> san" block add a new
> definition, e.g. "ipv6". Then go to the template/ subfolder, make a copy
> from the ipv4.yaml file and adjust the regex to match your desired format.

ok, I did the following:

First I tried to add san_ipv6 as you suggested. This somehow worked, but ended 
in the san-field of the certificate not being proper populated (instead of "IP 
Address: aaa::1") the label was missing, so it showed (":aaa::1"). Changing 
the id to "ip" in the san_ipv6.yaml caused validation errors (looks like the 
regex from san_ipv4 was applied...).

Anyway. I decided to modify the ipv4 type, since in the csr there's no 
difference between ipv4 and ipv6 san addresses - it's always "IP Address: 
<...>". This accepted ipv4 and ipv6 addresses when creating a csr, but in the 
end the policy was violated. Looks like there's another place where the "ip" 
type is checked ?!

I tried to find something in the logfiles, so far no luck...

The certificate is generated without errors, but the IPv6 address is truncated 
after the first colon (e.g. "2001:").

So the question for me is:

Is it preferred to go your suggested way and make openxpki somehow to insert 
the ipv6 address as "IP Address:" field in the csr or would it be easier to 
modify the existing ipv4 type to accept ipv6 as well ?



OpenXPKI-users mailing list

Reply via email to