Re: [OpenXPKI-users] Add a UPN name or Principal Name in the SAN (subject alternative name) of a certificate

Wed, 07 Sep 2022 05:23:18 -0700 

Hi,

...
style:
...
enroll:
subject:
dn: CN=[% CN.0 %],DC=...,DC=...
san:
dns: "[% FOREACH entry = SAN_DNS %][% entry.lower %] | [% END %]"
otherName: "1.3.6.1.4.1.311.25.1:<HEX code in this case of DC GUID>"
...
extensions:
key_usage:
critical: 1
digital_signature: 1
key_encipherment: 1
non_repudiation: 1
extended_key_usage:
critical: 0
client_auth: 1
server_auth: 1
#msKDC certification
1.3.6.1.5.2.3.5: 1
#Subject Alt Name UPN OtherName
1.3.6.1.4.1.311.20.2.3: 1
#Guid
1.3.6.1.4.1.311.25.1: 1
#id DomainController for MS template name to be able to insert
#it in MS Domain Controllers cert store. Samba not needed.
1.3.6.1.4.1.311.20.2: 1
oid:
1.3.6.1.4.1.311.20.2:
critical: 0
format: ASN1
encoding: UTF8String
value: DomainController
On 07/09/2022 14:28, Scott Thomas via OpenXPKI-users wrote:

Bonjour,
I tried it but couldn't succeed. Can you please share your exact modification? 

Regards
Scotty
On Wednesday, 19 May 2021 at 09:59:03 pm GMT+5, Michal Moravec <[email protected]> wrote: 


Hi  there,

I have been recently configuring this. See default profiles/sample.yaml

You need to specify otherName by specific OID inside SAN like this:


subject:
  san:
otherName: "1.3.6.1.4.1.311.20.2.3;UTF8:[% VARIABLE_WITH_UPN %]"


Also you need to add SMARTCARD logon capability tothe extended_key_usage:


extended_key_usage:
  1.3.6.1.4.1.311.20.2.2: 1
I found out there used to be predefined variable for UPN but it got removed https://github.com/openxpki/openxpki/commit/230bc37dfcf30586c98d58a66d96c32ea69e1796 <https://github.com/openxpki/openxpki/commit/230bc37dfcf30586c98d58a66d96c32ea69e1796> 
Not sure why.


Best regards,



Logicworks <https://logicworks.cz>        
        
Michal Moravec  Apple system administrator

Logicworks, s.r.o. <https://logicworks.cz>
Argentinská 1621/36, Praha 7 <https://www.google.cz/maps/place/Etnetera+Logicworks,+s.r.o./@50.1078991,14.4517256,17z/data=!3m1!4b1!4m5!3m4!1s0x470b94b2b61cb52d:0x6c88178df7f3ff49!8m2!3d50.1078957!4d14.4539143> 
www.logicworks.cz <https://logicworks.cz>| 778745013
On 19. 5. 2021, at 18:34, Scott Thomas via OpenXPKI-users <[email protected] <mailto:[email protected]>> wrote: 

Hi,
I want to add a UPN name or Principal Name (same like and email and used in MS Smart Card Logon) in the SAN (subject alternative name) of my /etc/openxpki/config.d/realm.tpl/profile/user_auth_enc.yaml.bak profile. How can i do this? 

Regards
_______________________________________________
OpenXPKI-users mailing list
[email protected] <mailto:[email protected]> 
https://lists.sourceforge.net/lists/listinfo/openxpki-users




_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
[email protected]
[email protected]
[email protected]
+358 45 85693 919

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to