Hi Marc, 2016-12-09 1:05 GMT+01:00 Marc Sauton <[email protected]>: > you could try to mofidy a profile for SSL server certificat enrollment: > > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > ...snip... > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp > ...snip... > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl > policyset.serverCertSet.pp.constraint.name=Extension Constraint > policyset.serverCertSet.pp.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13 > policyset.serverCertSet.pp.constraint.params.extCritical=false > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl > policyset.serverCertSet.pp.default.name=User Supplied Key Usage Extension > policyset.serverCertSet.pp.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13 > policyset.serverCertSet.pp.default.params.userExtCritical=false
Excellent, it works like a charm ! I just changed extensionConstraintImpl to noConstraintImpl so that the extensions are not mandatory anymore. Here the complete puppet trusted facts sequence. Useful to use DogTag (FreeIPA in my case) as an external pki for Puppet. Many thanks Joris policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid) policyset.serverCertSet.pp1.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.1 policyset.serverCertSet.pp1.constraint.params.extCritical=false policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid) policyset.serverCertSet.pp1.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.1 policyset.serverCertSet.pp1.default.params.userExtCritical=false policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID (pp_instance_id) policyset.serverCertSet.pp2.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.2 policyset.serverCertSet.pp2.constraint.params.extCritical=false policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID (pp_instance_id) policyset.serverCertSet.pp2.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.2 policyset.serverCertSet.pp2.default.params.userExtCritical=false policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name (pp_image_name) policyset.serverCertSet.pp3.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.3 policyset.serverCertSet.pp3.constraint.params.extCritical=false policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp3.default.name=Puppet Node Image Name (pp_image_name) policyset.serverCertSet.pp3.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.3 policyset.serverCertSet.pp3.default.params.userExtCritical=false policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key (pp_preshared_key) policyset.serverCertSet.pp4.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.4 policyset.serverCertSet.pp4.constraint.params.extCritical=false policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key (pp_preshared_key) policyset.serverCertSet.pp4.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.4 policyset.serverCertSet.pp4.default.params.userExtCritical=false policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center Name (pp_cost_center) policyset.serverCertSet.pp5.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.5 policyset.serverCertSet.pp5.constraint.params.extCritical=false policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name (pp_cost_center) policyset.serverCertSet.pp5.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.5 policyset.serverCertSet.pp5.default.params.userExtCritical=false policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name (pp_product) policyset.serverCertSet.pp6.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.6 policyset.serverCertSet.pp6.constraint.params.extCritical=false policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp6.default.name=Puppet Node Product Name (pp_product) policyset.serverCertSet.pp6.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.6 policyset.serverCertSet.pp6.default.params.userExtCritical=false policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name (pp_project) policyset.serverCertSet.pp7.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.7 policyset.serverCertSet.pp7.constraint.params.extCritical=false policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp7.default.name=Puppet Node Project Name (pp_project) policyset.serverCertSet.pp7.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.7 policyset.serverCertSet.pp7.default.params.userExtCritical=false policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp8.constraint.name=Puppet Node Application Name (pp_application) policyset.serverCertSet.pp8.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.8 policyset.serverCertSet.pp8.constraint.params.extCritical=false policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp8.default.name=Puppet Node Application Name (pp_application) policyset.serverCertSet.pp8.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.8 policyset.serverCertSet.pp8.default.params.userExtCritical=false policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name (pp_service) policyset.serverCertSet.pp9.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.9 policyset.serverCertSet.pp9.constraint.params.extCritical=false policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp9.default.name=Puppet Node Service Name (pp_service) policyset.serverCertSet.pp9.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.9 policyset.serverCertSet.pp9.default.params.userExtCritical=false policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name (pp_employee) policyset.serverCertSet.pp10.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.10 policyset.serverCertSet.pp10.constraint.params.extCritical=false policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name (pp_employee) policyset.serverCertSet.pp10.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.10 policyset.serverCertSet.pp10.default.params.userExtCritical=false policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by Tag (pp_created_by) policyset.serverCertSet.pp11.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.11 policyset.serverCertSet.pp11.constraint.params.extCritical=false policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag (pp_created_by) policyset.serverCertSet.pp11.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.11 policyset.serverCertSet.pp11.default.params.userExtCritical=false policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment Name (pp_environment) policyset.serverCertSet.pp12.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.12 policyset.serverCertSet.pp12.constraint.params.extCritical=false policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name (pp_environment) policyset.serverCertSet.pp12.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.12 policyset.serverCertSet.pp12.default.params.userExtCritical=false policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name (pp_role) policyset.serverCertSet.pp13.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.13 policyset.serverCertSet.pp13.constraint.params.extCritical=false policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role) policyset.serverCertSet.pp13.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.13 policyset.serverCertSet.pp13.default.params.userExtCritical=false policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp14.constraint.name=Puppet Node Software Version (pp_software_version) policyset.serverCertSet.pp14.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.14 policyset.serverCertSet.pp14.constraint.params.extCritical=false policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp14.default.name=Puppet Node Software Version (pp_software_version) policyset.serverCertSet.pp14.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.14 policyset.serverCertSet.pp14.default.params.userExtCritical=false policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp15.constraint.name=Puppet Node Department Name (pp_department) policyset.serverCertSet.pp15.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.15 policyset.serverCertSet.pp15.constraint.params.extCritical=false policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp15.default.name=Puppet Node Department Name (pp_department) policyset.serverCertSet.pp15.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.15 policyset.serverCertSet.pp15.default.params.userExtCritical=false policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name (pp_cluster) policyset.serverCertSet.pp16.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.16 policyset.serverCertSet.pp16.constraint.params.extCritical=false policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name (pp_cluster) policyset.serverCertSet.pp16.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.16 policyset.serverCertSet.pp16.default.params.userExtCritical=false policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner Name (pp_provisioner) policyset.serverCertSet.pp17.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.17 policyset.serverCertSet.pp17.constraint.params.extCritical=false policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name (pp_provisioner) policyset.serverCertSet.pp17.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.17 policyset.serverCertSet.pp17.default.params.userExtCritical=false policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name (pp_region) policyset.serverCertSet.pp18.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.18 policyset.serverCertSet.pp18.constraint.params.extCritical=false policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp18.default.name=Puppet Node Region Name (pp_region) policyset.serverCertSet.pp18.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.18 policyset.serverCertSet.pp18.default.params.userExtCritical=false policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter Name (pp_datacenter) policyset.serverCertSet.pp19.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.19 policyset.serverCertSet.pp19.constraint.params.extCritical=false policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name (pp_datacenter) policyset.serverCertSet.pp19.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.19 policyset.serverCertSet.pp19.default.params.userExtCritical=false policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name (pp_zone) policyset.serverCertSet.pp20.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.20 policyset.serverCertSet.pp20.constraint.params.extCritical=false policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone) policyset.serverCertSet.pp20.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.20 policyset.serverCertSet.pp20.default.params.userExtCritical=false policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name (pp_network) policyset.serverCertSet.pp21.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.21 policyset.serverCertSet.pp21.constraint.params.extCritical=false policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp21.default.name=Puppet Node Network Name (pp_network) policyset.serverCertSet.pp21.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.21 policyset.serverCertSet.pp21.default.params.userExtCritical=false policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp22.constraint.name=Puppet Node Security Policy Name (pp_securitypolicy) policyset.serverCertSet.pp22.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.22 policyset.serverCertSet.pp22.constraint.params.extCritical=false policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy Name (pp_securitypolicy) policyset.serverCertSet.pp22.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.22 policyset.serverCertSet.pp22.default.params.userExtCritical=false policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud Platform Name (pp_cloudplatform) policyset.serverCertSet.pp23.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.23 policyset.serverCertSet.pp23.constraint.params.extCritical=false policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform Name (pp_cloudplatform) policyset.serverCertSet.pp23.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.23 policyset.serverCertSet.pp23.default.params.userExtCritical=false policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp24.constraint.name=Puppet Node Application Tier (pp_apptier) policyset.serverCertSet.pp24.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.24 policyset.serverCertSet.pp24.constraint.params.extCritical=false policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier (pp_apptier) policyset.serverCertSet.pp24.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.24 policyset.serverCertSet.pp24.default.params.userExtCritical=false policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname (pp_hostname) policyset.serverCertSet.pp25.constraint.params.extOID=1.3.6.1.4.1.34380.1.1.25 policyset.serverCertSet.pp25.constraint.params.extCritical=false policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.pp25.default.name=Puppet Node Hostname (pp_hostname) policyset.serverCertSet.pp25.default.params.userExtOID=1.3.6.1.4.1.34380.1.1.25 policyset.serverCertSet.pp25.default.params.userExtCritical=false > > restart the CA and apply a CSR to the modified profile that has a user > supplied extension for that OID, and a value, they should then appear in the > X509v3 extensions of the issued certificate > > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <[email protected]> wrote: >> >> Hi list, >> I'm currently trying to add some extensions (For puppet trusted >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_extensions.html) >> to my certificates. As far as I understand, I have to create / modify >> a profile to do so. From the CSR, I can see the request extension >> >> >> Requested Extensions: >> 1.3.6.1.4.1.34380.1.1.13: >> ..my_puppet_role >> X509v3 Subject Alternative Name: >> >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 >> retrieve it's value in $request$ ? Is there something similar, >> somewhere that I can use as an example ? a doc to read ? >> >> Many thanks >> Joris >> >> _______________________________________________ >> Pki-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
