I've tried a variety ways to get this to go into the system and either I'm missing something obvious or there's something buggy going on. I figured out the test system that wasn't giving me inputs to fill in on the request was an older version 10.2.5. I've updated that system to 10.3.3.
* pki ca-profile-show --output caServerCert.cfg --raw caServerCert * pki ca-profile-disable caServerCert Edit the file and add in the following lines to the bottom of the profile: [...---...] policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.10.default.name=User Supplied Extension Default policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17 [...---...] NOTE: I changed the policyset to match what the rest of the profile said in the default caServerCert profile from 10.3.3 install. From ServerProfile to serverCertSet. * pki ca-profile-add caServerCert.cfg --raw Then go to the WebUI and submit a request that has SAN entries in it. After I approve it, there are no SANs in the cert. What am I missing? Thanks ian On Tue, 15 Nov 2016 at 12:57 Ian Koenig <[email protected]> wrote: > Thanks Supper. Is there a clear documentation on how to create a new > certificate profile that is visible via the WebUI? > > I tried this process: > > 1) pki -C client_password.txt -n caadmin ca-server-show --output > caServerSANCert.cfg --raw caServerCert > > a) Add in the lines you specified above to caServerSANCert.cfg > > b) Update the line profileID to be caServerSANCert > > 4) pki -C client_password.txt -n caadmin ca-profile-add --raw > caServerSANCert.cfg > > 5) Approve this new profile. > > What happens when I attempt to issue a cert request via the WebUI, there > are no inputs for me to fill in like the default caServerCert profile. > Just some text about Cert profile and description, then Inputs in bold and > a Submit button. > > > Thanks > ian > > > On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT < > [email protected]> wrote: > > Hi, > You have to add the following lines into your certificate profile.. > > policyset.ServerProfile.10.constraint.class_id=noConstraintImpl > policyset.ServerProfile.10.constraint.name=No Constraint > policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false > policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl > policyset.ServerProfile.10.default.name=User Supplied Extension Default > policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 > > Then the SAN's will be added to the certificate. > > BR > Florian > > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] > Im Auftrag von Ian Koenig > Gesendet: Montag, 14. November 2016 19:18 > An: [email protected] > Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] > > Hi all, > > I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS > 7 . 2 > (build 1511) system. > > I can request and approve various different certs through the system > successfully and have it working properly with SSL client certificates in > Chrome. > > What I haven't been able to figure out is how to generate a server SSL Cert > that has SubjectAltName entries in it. An example cnf file I have tried > is > > [ . . . ] > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA : FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = (at)alt_names > > [ alt_names ] > DNS . 1 = demo . myhome . com > DNS . 2 = demo > DNS . 3 = demo . prod . myhome . com > > [ . . . ] > > This generates a valid CSR with the SubjectAltNames in it. However when I > send it through to be approved on Dogtag, the SAN gets removed. How do I > setup a profile in Dogtag to allow this CSR with SAN get approved? > > Thanks > ian > _______________________________________________ > Pki-users mailing list > Pki-users(at)redhat . com > https : / / www . redhat . com / mailman / listinfo / pki-users > >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
