[Pki-users] Adding subject alternative name into certificate

Christina Fu cfu at redhat.com
Thu Jan 16 18:05:21 UTC 2014


In general, the two easiest ways to add SAN into the cert. The following 
documentation should help.

1. The subjectAlternativeName profile configuration : (use this if your 
CSR does not contain SAN, but you have relevant info in the accompanying 
request or ldap)
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default

2. The User Supplied Extension Default : (use this if you generate your 
own SAN in the CSR)
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#User_Supplied_Extension_Default

Christina

On 01/16/2014 06:06 AM, Jindrich Dolezal wrote:
> hi all,
> im struggling in adding the subject alternative name (san) into the 
> generated certificate. im doing scep request. when i print the cert 
> req into a file and dump it, it seems that san is correctly added:
> $ openssl req -in certreq.csr -text -noout
> Certificate Request:
>     ...
>         Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 email:example at example.org
>     Signature Algorithm: sha1WithRSAEncryption
>          1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8:
>           ....
>
> the profile that is then used on ca contains:
> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.9.constraint.name=No Constraint
> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
> policyset.serverCertSet.9.default.name=Subject Alt Name Constraint
> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
> policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name
> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ 
>
> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>
> and in the log file:
> [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension
> [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: 
> 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> [RFC822Name: example at example.org]]
> ]
> [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject
>
> .....
>
> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: 
> populate start
> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: 
> createExtension i=0
> [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added
> [16/Jan/2014:13:49:42][http-9180-1]: count is 0
> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: 
> populate sees no extension.  get out
> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: 
> populate end
>
> and the san is not included in the certificate.
>
> i also tried other values for subjAltExtPattern_0 like 
> $request.email$, $request.SAN1$, etc but this only ended with state 
> where san was included into the certificate but has value as the 
> parameter, i.e. '$request.email$' which is apparently not what i wanted.
>
> would anyone know what im doing wrong, where is the catch?
>
> thank a lot
>
> jd
>
>
>
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users




More information about the Pki-users mailing list