Re: [Pki-users] SubjectAltName - how?

[Supper Florian 6342 sIT]

Hi Ian,

i’ve lost your last mail..
but I could remember what the question was..

You’ve copied the part I’ve send to you in your profile and tried to enroll a 
cert..
But if you sign the cert the sans are not included..

Please have a look at this line in your profile..

policyset.serverCertSet.list=1,2,3,4,5,6,7,8

In this line the Number of the SAN extension part, which I’ve send to you has 
to be included.. So add a “10” at the end of the line below. Restart your ca 
service and try again..

If this does not work too, please send me your whole profile, and I will test 
it in my testing environment..

Br
Florian


Von: Ian Koenig [mailto:i...@ionsphere.org]
Gesendet: Freitag, 18. November 2016 06:28
An: Supper Florian 6342 sIT; Ian Koenig; pki-users@redhat.com
Betreff: Re: [Pki-users] SubjectAltName - how?

How do you modify your profile?   I've followed the redhat documentation and 
stuff doesn't work.  As such I feel like I'm missing something based on how you 
are talking.

How do you submit new requests?   Through the Web UI or command line with the 
pki command?

If via the WebUI does the agents page change when you change the profile 
configurations?

Thanks


On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT 
<florian.sup...@s-itsolutions.at<mailto:florian.sup...@s-itsolutions.at>> wrote:
Hi Ian,

There is an redhat documentation available for dogtag version 8 and 9. They 
might help you.
In my case, I mostly copy an existing profile and made the changes I’ve need in 
the copied one.

BR
Florian


Von: Ian Koenig [mailto:i...@ionsphere.org<mailto:i...@ionsphere.org>]
Gesendet: Dienstag, 15. November 2016 19:57
An: Supper Florian 6342 sIT; Ian Koenig; 
pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: Re: [Pki-users] SubjectAltName - how?

Thanks Supper.   Is there a clear documentation on how to create a new 
certificate profile that is visible via the WebUI?

I tried this process:

1) pki -C client_password.txt -n caadmin ca-server-show --output 
caServerSANCert.cfg --raw caServerCert

   a) Add in the lines you specified above to caServerSANCert.cfg

   b) Update the line profileID to be caServerSANCert

4) pki -C client_password.txt -n caadmin ca-profile-add --raw 
caServerSANCert.cfg

5) Approve this new profile.

What happens when I attempt to issue a cert request via the WebUI, there are no 
inputs for me to fill in like the default caServerCert profile.  Just some text 
about Cert profile and description, then Inputs in bold and a Submit button.


Thanks
ian


On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT 
<florian.sup...@s-itsolutions.at<mailto:florian.sup...@s-itsolutions.at>> wrote:
Hi,
You have to add the following lines into your certificate profile..

policyset.ServerProfile.10.constraint.class_id=noConstraintImpl
policyset.ServerProfile.10.constraint.name<http://policyset.ServerProfile.10.constraint.name>=No
 Constraint
policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false
policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl
policyset.ServerProfile.10.default.name<http://policyset.ServerProfile.10.default.name>=User
 Supplied Extension Default
policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17

Then the SAN's will be added to the certificate.

BR
Florian

-----Ursprüngliche Nachricht-----
Von: pki-users-boun...@redhat.com<mailto:pki-users-boun...@redhat.com> 
[mailto:pki-users-boun...@redhat.com<mailto:pki-users-boun...@redhat.com>] Im 
Auftrag von Ian Koenig
Gesendet: Montag, 14. November 2016 19:18
An: pki-users@redhat.com<mailto:pki-users@redhat.com>
Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed]

Hi all,

I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2
(build 1511) system.

I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.

What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it.   An example cnf file I have tried
is

[ .  .  . ]
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA : FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = (at)alt_names

[ alt_names ]
DNS . 1 = demo . myhome . com
DNS . 2 = demo
DNS . 3 = demo . prod . myhome . com

[ .  .  . ]

This generates a valid CSR with the SubjectAltNames in it.   However when I
send it through to be approved on Dogtag, the SAN gets removed.  How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?

Thanks
ian
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https :  /  / www . redhat . com / mailman / listinfo / pki-users

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users