On Tue, Mar 14, 2017 at 05:31:39PM -0400, George Wash wrote: > Using CS 9.1 > I'm sending SAN nametypes and values in my HTTP requests to the CA inspired > by Section A.1.14 below > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/CertProfileReference.html > > In general this is working, but I seem to be limited to 4 SANs maximum. The > CA seems to only process $request_req_san_pattern_<0-3>$ > > Here's my setup and some logs > > > #### SAN Profile Configuration - 10 SANs #### > ... > policyset.MySet.SAN.constraint.class_id=noConstraintImpl > policyset.MySet.SAN.constraint.name=No Constraint > policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl > policyset.MySet.SAN.default.name=Subject Alt Name Extension Default > policyset.MySet.SAN.default.params.subjAltNameExtCritical=false > policyset.MySet.SAN.default.params.subjAltNameNumGNs=10 > policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true > policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ > policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true > policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ > policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true > policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ > policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true > policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ > policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true > policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ > policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true > policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$ > policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true > policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$ > policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true > policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$ > policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true > policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$ > policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true > policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$ > policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$ > > > #### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from > client ##### > ... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_0' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_0' value='myserver0.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_1' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_1' value='myserver1.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_2' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_2' value='myserver2.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_3' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_3' value='myserver3.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_4' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_4' value='myserver4.example.com' > > > ### CAProcessor Has Dropped SAN4 #### > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters: > .... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0: > DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3: > DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1: > DNSName > ... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2: > DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_3: myserver3.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_1: myserver1.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_2: myserver2.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_0: myserver0.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > cert_request_type: pkcs10 > ... > > > ### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated > previously in processing #### > ... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=0 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_0$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver0.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=1 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_1$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver1.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=2 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_2$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver2.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=3 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_3$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver3.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=4 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_4$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=5 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_5$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=6 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_6$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=7 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_7$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=8 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_8$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=9 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_9$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > > > What's interesting is the SubjectAltNameExtDefault can take several extra > hardcoded nametypes and values from the profile and populate them in the > enrolled certificate. > > Any thoughts? > > Thanks > GW > Hi George,
Looking at the code, while the SubjectAltNameExtDefault class can handle up to 100 altnames, the SubjectAltNameExtInput class, which stores user-submitted altname values into the request context, has a hardcoded limit of 4. If your use case requires handling more than 4 explicitly submitted altnames, please file a ticket at https://pagure.io/dogtagpki/new_issue. Thanks, Fraser _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
