Re: [OpenXPKI-users] SAN implementation in certificate profile

Wed, 04 Sep 2019 07:17:26 -0700 

Hi Arthur,
Short Answer: Its a bug - and to be honest we did not use (and test) this feature for a long time and consider this a deprecated feature, so we might not even fix it 


Please have a look how the "hostname2" is used in the TLS Server sample 
profile and do it this way - this is the recommended and tested way to 
add SAN items.


best regards

Oliver

Am 04.09.19 um 13:30 schrieb Artuur Janssens:

Hello,

I'm having some trouble implementing SAN in my certificates.

The profile i's currently using(I omitted the company name):

```
# The name of the file equals the name of the profile
label: Example Internal TLS Server Certificate

validity:
     notafter: +050000

style:
     05_advanced_style:
         label: I18N_OPENXPKI_UI_PROFILE_ADVANCED_STYLE_LABEL
         description: I18N_OPENXPKI_UI_PROFILE_ADVANCED_STYLE_DESC
         ui:
             subject:
                 - cn
#                - o
#                - ou
#                - dc
#                - c
             san:
                 - san_dns

             info:
                 - requestor_gname
                 - requestor_name
                 - requestor_email
                 - requestor_affiliation
                 - comment

         subject:
             dn: CN=[% CN %],OU=Internal,OU=IT,O=example,C=BE


     enroll:
         subject:
             dn: CN=[% CN %],OU=Internal,OU=IT,O=example,C=BE
             san:

                 dns: "[% FOREACH entry = SAN_DNS %][% entry.lower %] | 
[% END %]"


         metadata:
             system_id: "[% data.cust_id %]"
             server_id: "[% data.server_id %]"
             entity: "[% CN.0 FILTER lower %]"

# Profile extensions - set 0/1 as needed
# Also see sections defined in default.yaml
extensions:
     key_usage:
         critical: 1
         digital_signature: 1
         non_repudiation:   0
         key_encipherment:  1
         data_encipherment: 0
         key_agreement:     0
         key_cert_sign:     0
         crl_sign:          0
         encipher_only:     0
         decipher_only:     0

     extended_key_usage:
         critical: 1
         # these are OIDs, some OIDs are known and have names
         client_auth:      0
         server_auth:      1
         email_protection: 0
         code_signing:     0
         time_stamping:    0
         ocsp_signing:     0

# end of extensions

# Define the input fields you used below here
#template:

```

However this gives me the following error (I omitted the company name in 
the DN):


```

2019/09/04 13:19:20 openxpki.application.INFO persisted csr for 
CN=test.example.com,OU=Example,OU=IT,O=Example,C=BE with csr_serial 3583 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 openxpki.application.INFO start cert issue for 
serial 3583, workflow 11519 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 system.crypto.ERROR OpenSSL error: Using 
configuration from /var/tmp/openxpki132672geFSqHO/openssl.cnf

Error Loading extension section v3ca

139957629179536:error:0E06D06C:configuration file 
routines:NCONF_get_string:no value:conf_lib.c:324:group=ca name=email_in_dn
139957629179536:error:22075075:X509 V3 
routines:v2i_GENERAL_NAME_ex:unsupported option:v3_alt.c:550:name=dns.1
139957629179536:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error 
in extension:v3_conf.c:95:name=subjectAltName, value=@san_section

unable to write 'random state'
  [pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]

2019/09/04 13:19:20 openxpki.system.ERROR 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 openxpki.system.ERROR 
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256; 
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 openxpki.application.WARN NICE issueCertificate 
failed but pause_on_error is requested  
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 openxpki.application.ERROR Original error: 
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256; 
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 openxpki.application.INFO Action 
global_nice_issue_certificate paused 
(I18N_OPENXPKI_UI_PAUSED_CERTSIGN_TOKEN_SIGNING_FAILED), wakeup 
2019-09-04T11:26:07 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]
2019/09/04 13:19:20 Workflow.ERROR Caught exception from action: 
[Generic exception]; reset workflow to old state 
'NICE_ISSUE_CERTIFICATE' 
[pid=13267|sid=+Nku|wftype=certificate_signing_request_v2|wfid=11519]


```

Any ideas how I solve this problem? I tried looking at the example 
files, but they use references that don't seem to exist in the 
`template` folder.


Thanks!

Kind regards,

Artuur






_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users




--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to