Ha - the truncation of the IPv6 address is apparently an error in the ui. If I 
decode the certificate on the cli it shows:

            X509v3 Subject Alternative Name:
                DNS:marvin.xxxx.lab, IP Address:2001:55C:5574:100:0:0:0:200, 
IP Address:

so the only thing that's open is the policy violation  (and ui fix) ;-)



On Freitag, 16. September 2016 16:13:52 CEST Andreas Bourges wrote:
> Hi Oliver,
> On Freitag, 16. September 2016 12:54:44 CEST Oliver Welter wrote:
> > > First things we're targeting:
> > > - in the SAN field we'd  like to change the input fields (allow ipv6
> > > addresses...)
> > 
> > Thats easy - have a look at the profile definition in the
> > realm/ca-one/profile folder, in the "ui -> san" block add a new
> > definition, e.g. "ipv6". Then go to the template/ subfolder, make a copy
> > from the ipv4.yaml file and adjust the regex to match your desired format.
> ok, I did the following:
> First I tried to add san_ipv6 as you suggested. This somehow worked, but
> ended in the san-field of the certificate not being proper populated
> (instead of "IP Address: aaa::1") the label was missing, so it showed
> (":aaa::1"). Changing the id to "ip" in the san_ipv6.yaml caused validation
> errors (looks like the regex from san_ipv4 was applied...).
> Anyway. I decided to modify the ipv4 type, since in the csr there's no
> difference between ipv4 and ipv6 san addresses - it's always "IP Address:
> <...>". This accepted ipv4 and ipv6 addresses when creating a csr, but in
> the end the policy was violated. Looks like there's another place where the
> "ip" type is checked ?!
> I tried to find something in the logfiles, so far no luck...
> The certificate is generated without errors, but the IPv6 address is
> truncated after the first colon (e.g. "2001:").
> So the question for me is:
> Is it preferred to go your suggested way and make openxpki somehow to insert
> the ipv6 address as "IP Address:" field in the csr or would it be easier to
> modify the existing ipv4 type to accept ipv6 as well ?
> Thanks,
> Andreas

OpenXPKI-users mailing list

Reply via email to