[Pki-users] Adding subject alternative name into certificate

Jindrich Dolezal jindrich.dolezal at adaptivemobile.com
Thu Jan 16 14:06:18 UTC 2014 

hi all,
im struggling in adding the subject alternative name (san) into the 
generated certificate. im doing scep request. when i print the cert req 
into a file and dump it, it seems that san is correctly added:
$ openssl req -in certreq.csr -text -noout
Certificate Request:
     ...
         Requested Extensions:
             X509v3 Subject Alternative Name:
                 email:example at example.org
     Signature Algorithm: sha1WithRSAEncryption
          1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8:
           ....

the profile that is then used on ca contains:
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alt Name Constraint
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1

and in the log file:
[16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension
[16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: 2.5.29.17 
Criticality=false
SubjectAlternativeName [
[RFC822Name: example at example.org]]
]
[16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject

.....

[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate 
start
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: 
createExtension i=0
[16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added
[16/Jan/2014:13:49:42][http-9180-1]: count is 0
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate 
sees no extension.  get out
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate end

and the san is not included in the certificate.

i also tried other values for subjAltExtPattern_0 like $request.email$, 
$request.SAN1$, etc but this only ended with state where san was 
included into the certificate but has value as the parameter, i.e. 
'$request.email$' which is apparently not what i wanted.

would anyone know what im doing wrong, where is the catch?

thank a lot

jd

More information about the Pki-users mailing list