Re: [Pki-users] How to add a custom extension to a profile

Thu, 08 Dec 2016 16:07:56 -0800 

you could try to mofidy a profile for SSL server certificat enrollment:

cp
-p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
/var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig
vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg
...snip...
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp
...snip...
policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl
policyset.serverCertSet.pp.constraint.name=Extension Constraint
policyset.serverCertSet.pp.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp.constraint.params.extCritical=false
policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.pp.default.name=User Supplied Key Usage Extension
policyset.serverCertSet.pp.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13
policyset.serverCertSet.pp.default.params.userExtCritical=false

restart the CA and apply a CSR to the modified profile that has a user
supplied extension for that OID, and a value, they should then appear in
the X509v3 extensions of the issued certificate

On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <[email protected]> wrote:

> Hi list,
> I'm currently trying to add some extensions (For puppet trusted
> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html)
>  to my certificates. As far as I understand, I have to create / modify
> a profile to do so. From the CSR, I can see the request extension
>
>
>         Requested Extensions:
>             1.3.6.1.4.1.34380.1.1.13:
>                 ..my_puppet_role
>             X509v3 Subject Alternative Name:
>
> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13
> retrieve it's value in  $request$ ? Is there something similar,
> somewhere that I can use as an example ? a doc to read ?
>
> Many thanks
> Joris
>
> _______________________________________________
> Pki-users mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/pki-users
>

_______________________________________________
Pki-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-users

Reply via email to