On Fri, Dec 09, 2016 at 10:53:57AM -0800, Marc Sauton wrote: > Glad it helps. > Note in the context of IPA, the PKI / Dogtag profiles are now stored in the > LDAP server backend, so the procedure is different in FreeIPA 4.4. > If those changes are working fine in your environment, and if this may > benefit others, as puppet makes use of more PKI, I would propose to open a > RFE to add a new profile by default in the Dogtag project (so it can make > its way to FreeIPA), and/or document this in the wiki or on an article that > I can add to https://access.redhat.com/ for the "Red Hat Certificate > System" product. > Thanks for any feedback, > M. > Better to open such an RFE against FreeIPA, IMO. There is no need for the profile to be defined by the Dogtag project.
Thanks, Fraser > On Fri, Dec 9, 2016 at 1:50 AM, joris dedieu <[email protected]> wrote: > > > Hi Marc, > > > > 2016-12-09 1:05 GMT+01:00 Marc Sauton <[email protected]>: > > > you could try to mofidy a profile for SSL server certificat enrollment: > > > > > > cp -p /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > > > /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg.orig > > > vim /var/lib/pki/pki-ca1/ca/profiles/ca/caServerCert.cfg > > > ...snip... > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,pp > > > ...snip... > > > policyset.serverCertSet.pp.constraint.class_id=extensionConstraintImpl > > > policyset.serverCertSet.pp.constraint.name=Extension Constraint > > > policyset.serverCertSet.pp.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.13 > > > policyset.serverCertSet.pp.constraint.params.extCritical=false > > > policyset.serverCertSet.pp.default.class_id=userExtensionDefaultImpl > > > policyset.serverCertSet.pp.default.name=User Supplied Key Usage > > Extension > > > policyset.serverCertSet.pp.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.13 > > > policyset.serverCertSet.pp.default.params.userExtCritical=false > > > > Excellent, it works like a charm ! I just changed > > extensionConstraintImpl to noConstraintImpl so that the extensions are > > not mandatory anymore. Here the complete puppet trusted facts > > sequence. Useful to use DogTag (FreeIPA in my case) as an external > > pki for Puppet. > > > > > > > > Many thanks > > Joris > > > > policyset.serverCertSet.pp1.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp1.constraint.name=Puppet Node UUID (pp_uuid) > > policyset.serverCertSet.pp1.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.1 > > policyset.serverCertSet.pp1.constraint.params.extCritical=false > > policyset.serverCertSet.pp1.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp1.default.name=Puppet Node UUID (pp_uuid) > > policyset.serverCertSet.pp1.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.1 > > policyset.serverCertSet.pp1.default.params.userExtCritical=false > > policyset.serverCertSet.pp2.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp2.constraint.name=Puppet Node Instance ID > > (pp_instance_id) > > policyset.serverCertSet.pp2.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.2 > > policyset.serverCertSet.pp2.constraint.params.extCritical=false > > policyset.serverCertSet.pp2.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp2.default.name=Puppet Node Instance ID > > (pp_instance_id) > > policyset.serverCertSet.pp2.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.2 > > policyset.serverCertSet.pp2.default.params.userExtCritical=false > > policyset.serverCertSet.pp3.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp3.constraint.name=Puppet Node Image Name > > (pp_image_name) > > policyset.serverCertSet.pp3.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.3 > > policyset.serverCertSet.pp3.constraint.params.extCritical=false > > policyset.serverCertSet.pp3.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp3.default.name=Puppet Node Image Name > > (pp_image_name) > > policyset.serverCertSet.pp3.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.3 > > policyset.serverCertSet.pp3.default.params.userExtCritical=false > > policyset.serverCertSet.pp4.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp4.constraint.name=Puppet Node Preshared Key > > (pp_preshared_key) > > policyset.serverCertSet.pp4.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.4 > > policyset.serverCertSet.pp4.constraint.params.extCritical=false > > policyset.serverCertSet.pp4.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp4.default.name=Puppet Node Preshared Key > > (pp_preshared_key) > > policyset.serverCertSet.pp4.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.4 > > policyset.serverCertSet.pp4.default.params.userExtCritical=false > > policyset.serverCertSet.pp5.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp5.constraint.name=Puppet Node Cost Center > > Name (pp_cost_center) > > policyset.serverCertSet.pp5.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.5 > > policyset.serverCertSet.pp5.constraint.params.extCritical=false > > policyset.serverCertSet.pp5.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp5.default.name=Puppet Node Cost Center Name > > (pp_cost_center) > > policyset.serverCertSet.pp5.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.5 > > policyset.serverCertSet.pp5.default.params.userExtCritical=false > > policyset.serverCertSet.pp6.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp6.constraint.name=Puppet Node Product Name > > (pp_product) > > policyset.serverCertSet.pp6.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.6 > > policyset.serverCertSet.pp6.constraint.params.extCritical=false > > policyset.serverCertSet.pp6.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp6.default.name=Puppet Node Product Name > > (pp_product) > > policyset.serverCertSet.pp6.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.6 > > policyset.serverCertSet.pp6.default.params.userExtCritical=false > > policyset.serverCertSet.pp7.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp7.constraint.name=Puppet Node Project Name > > (pp_project) > > policyset.serverCertSet.pp7.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.7 > > policyset.serverCertSet.pp7.constraint.params.extCritical=false > > policyset.serverCertSet.pp7.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp7.default.name=Puppet Node Project Name > > (pp_project) > > policyset.serverCertSet.pp7.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.7 > > policyset.serverCertSet.pp7.default.params.userExtCritical=false > > policyset.serverCertSet.pp8.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp8.constraint.name=Puppet Node Application > > Name (pp_application) > > policyset.serverCertSet.pp8.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.8 > > policyset.serverCertSet.pp8.constraint.params.extCritical=false > > policyset.serverCertSet.pp8.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp8.default.name=Puppet Node Application Name > > (pp_application) > > policyset.serverCertSet.pp8.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.8 > > policyset.serverCertSet.pp8.default.params.userExtCritical=false > > policyset.serverCertSet.pp9.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp9.constraint.name=Puppet Node Service Name > > (pp_service) > > policyset.serverCertSet.pp9.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.9 > > policyset.serverCertSet.pp9.constraint.params.extCritical=false > > policyset.serverCertSet.pp9.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp9.default.name=Puppet Node Service Name > > (pp_service) > > policyset.serverCertSet.pp9.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.9 > > policyset.serverCertSet.pp9.default.params.userExtCritical=false > > policyset.serverCertSet.pp10.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp10.constraint.name=Puppet Node Employee Name > > (pp_employee) > > policyset.serverCertSet.pp10.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.10 > > policyset.serverCertSet.pp10.constraint.params.extCritical=false > > policyset.serverCertSet.pp10.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp10.default.name=Puppet Node Employee Name > > (pp_employee) > > policyset.serverCertSet.pp10.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.10 > > policyset.serverCertSet.pp10.default.params.userExtCritical=false > > policyset.serverCertSet.pp11.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp11.constraint.name=Puppet Node created_by > > Tag (pp_created_by) > > policyset.serverCertSet.pp11.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.11 > > policyset.serverCertSet.pp11.constraint.params.extCritical=false > > policyset.serverCertSet.pp11.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp11.default.name=Puppet Node created_by Tag > > (pp_created_by) > > policyset.serverCertSet.pp11.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.11 > > policyset.serverCertSet.pp11.default.params.userExtCritical=false > > policyset.serverCertSet.pp12.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp12.constraint.name=Puppet Node Environment > > Name (pp_environment) > > policyset.serverCertSet.pp12.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.12 > > policyset.serverCertSet.pp12.constraint.params.extCritical=false > > policyset.serverCertSet.pp12.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp12.default.name=Puppet Node Environment Name > > (pp_environment) > > policyset.serverCertSet.pp12.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.12 > > policyset.serverCertSet.pp12.default.params.userExtCritical=false > > policyset.serverCertSet.pp13.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp13.constraint.name=Puppet Node Role Name > > (pp_role) > > policyset.serverCertSet.pp13.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.13 > > policyset.serverCertSet.pp13.constraint.params.extCritical=false > > policyset.serverCertSet.pp13.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp13.default.name=Puppet Node Role Name (pp_role) > > policyset.serverCertSet.pp13.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.13 > > policyset.serverCertSet.pp13.default.params.userExtCritical=false > > policyset.serverCertSet.pp14.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp14.constraint.name=Puppet Node Software > > Version (pp_software_version) > > policyset.serverCertSet.pp14.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.14 > > policyset.serverCertSet.pp14.constraint.params.extCritical=false > > policyset.serverCertSet.pp14.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp14.default.name=Puppet Node Software Version > > (pp_software_version) > > policyset.serverCertSet.pp14.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.14 > > policyset.serverCertSet.pp14.default.params.userExtCritical=false > > policyset.serverCertSet.pp15.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp15.constraint.name=Puppet Node Department > > Name (pp_department) > > policyset.serverCertSet.pp15.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.15 > > policyset.serverCertSet.pp15.constraint.params.extCritical=false > > policyset.serverCertSet.pp15.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp15.default.name=Puppet Node Department Name > > (pp_department) > > policyset.serverCertSet.pp15.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.15 > > policyset.serverCertSet.pp15.default.params.userExtCritical=false > > policyset.serverCertSet.pp16.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp16.constraint.name=Puppet Node Cluster Name > > (pp_cluster) > > policyset.serverCertSet.pp16.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.16 > > policyset.serverCertSet.pp16.constraint.params.extCritical=false > > policyset.serverCertSet.pp16.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp16.default.name=Puppet Node Cluster Name > > (pp_cluster) > > policyset.serverCertSet.pp16.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.16 > > policyset.serverCertSet.pp16.default.params.userExtCritical=false > > policyset.serverCertSet.pp17.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp17.constraint.name=Puppet Node Provisioner > > Name (pp_provisioner) > > policyset.serverCertSet.pp17.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.17 > > policyset.serverCertSet.pp17.constraint.params.extCritical=false > > policyset.serverCertSet.pp17.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp17.default.name=Puppet Node Provisioner Name > > (pp_provisioner) > > policyset.serverCertSet.pp17.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.17 > > policyset.serverCertSet.pp17.default.params.userExtCritical=false > > policyset.serverCertSet.pp18.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp18.constraint.name=Puppet Node Region Name > > (pp_region) > > policyset.serverCertSet.pp18.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.18 > > policyset.serverCertSet.pp18.constraint.params.extCritical=false > > policyset.serverCertSet.pp18.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp18.default.name=Puppet Node Region Name > > (pp_region) > > policyset.serverCertSet.pp18.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.18 > > policyset.serverCertSet.pp18.default.params.userExtCritical=false > > policyset.serverCertSet.pp19.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp19.constraint.name=Puppet Node Datacenter > > Name (pp_datacenter) > > policyset.serverCertSet.pp19.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.19 > > policyset.serverCertSet.pp19.constraint.params.extCritical=false > > policyset.serverCertSet.pp19.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp19.default.name=Puppet Node Datacenter Name > > (pp_datacenter) > > policyset.serverCertSet.pp19.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.19 > > policyset.serverCertSet.pp19.default.params.userExtCritical=false > > policyset.serverCertSet.pp20.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp20.constraint.name=Puppet Node Zone Name > > (pp_zone) > > policyset.serverCertSet.pp20.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.20 > > policyset.serverCertSet.pp20.constraint.params.extCritical=false > > policyset.serverCertSet.pp20.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp20.default.name=Puppet Node Zone Name (pp_zone) > > policyset.serverCertSet.pp20.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.20 > > policyset.serverCertSet.pp20.default.params.userExtCritical=false > > policyset.serverCertSet.pp21.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp21.constraint.name=Puppet Node Network Name > > (pp_network) > > policyset.serverCertSet.pp21.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.21 > > policyset.serverCertSet.pp21.constraint.params.extCritical=false > > policyset.serverCertSet.pp21.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp21.default.name=Puppet Node Network Name > > (pp_network) > > policyset.serverCertSet.pp21.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.21 > > policyset.serverCertSet.pp21.default.params.userExtCritical=false > > policyset.serverCertSet.pp22.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp22.constraint.name=Puppet Node Security > > Policy Name (pp_securitypolicy) > > policyset.serverCertSet.pp22.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.22 > > policyset.serverCertSet.pp22.constraint.params.extCritical=false > > policyset.serverCertSet.pp22.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp22.default.name=Puppet Node Security Policy > > Name (pp_securitypolicy) > > policyset.serverCertSet.pp22.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.22 > > policyset.serverCertSet.pp22.default.params.userExtCritical=false > > policyset.serverCertSet.pp23.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp23.constraint.name=Puppet Node Cloud > > Platform Name (pp_cloudplatform) > > policyset.serverCertSet.pp23.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.23 > > policyset.serverCertSet.pp23.constraint.params.extCritical=false > > policyset.serverCertSet.pp23.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp23.default.name=Puppet Node Cloud Platform > > Name (pp_cloudplatform) > > policyset.serverCertSet.pp23.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.23 > > policyset.serverCertSet.pp23.default.params.userExtCritical=false > > policyset.serverCertSet.pp24.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp24.constraint.name=Puppet Node Application > > Tier (pp_apptier) > > policyset.serverCertSet.pp24.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.24 > > policyset.serverCertSet.pp24.constraint.params.extCritical=false > > policyset.serverCertSet.pp24.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp24.default.name=Puppet Node Application Tier > > (pp_apptier) > > policyset.serverCertSet.pp24.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.24 > > policyset.serverCertSet.pp24.default.params.userExtCritical=false > > policyset.serverCertSet.pp25.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.pp25.constraint.name=Puppet Node Hostname > > (pp_hostname) > > policyset.serverCertSet.pp25.constraint.params.extOID=1.3. > > 6.1.4.1.34380.1.1.25 > > policyset.serverCertSet.pp25.constraint.params.extCritical=false > > policyset.serverCertSet.pp25.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.pp25.default.name=Puppet Node Hostname > > (pp_hostname) > > policyset.serverCertSet.pp25.default.params.userExtOID=1.3. > > 6.1.4.1.34380.1.1.25 > > policyset.serverCertSet.pp25.default.params.userExtCritical=false > > > > > > > > > > > > > > restart the CA and apply a CSR to the modified profile that has a user > > > supplied extension for that OID, and a value, they should then appear in > > the > > > X509v3 extensions of the issued certificate > > > > > > On Thu, Dec 8, 2016 at 2:56 AM, joris dedieu <[email protected]> > > wrote: > > >> > > >> Hi list, > > >> I'm currently trying to add some extensions (For puppet trusted > > >> factshttps://docs.puppet.com/puppet/latest/ssl_attributes_ > > extensions.html) > > >> to my certificates. As far as I understand, I have to create / modify > > >> a profile to do so. From the CSR, I can see the request extension > > >> > > >> > > >> Requested Extensions: > > >> 1.3.6.1.4.1.34380.1.1.13: > > >> ..my_puppet_role > > >> X509v3 Subject Alternative Name: > > >> > > >> So basically the question is how to declare 1.3.6.1.4.1.34380.1.1.13 > > >> retrieve it's value in $request$ ? Is there something similar, > > >> somewhere that I can use as an example ? a doc to read ? > > >> > > >> Many thanks > > >> Joris > > >> > > >> _______________________________________________ > > >> Pki-users mailing list > > >> [email protected] > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > _______________________________________________ > Pki-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
