diff options
| author | Christina Fu <cfu@redhat.com> | 2015-04-15 10:58:08 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2015-04-21 18:24:32 -0700 |
| commit | e2683d6a8f6211ac58a5674aaa626814f26ebbf2 (patch) | |
| tree | cb6e9fae0990b334ee1acd6333f8ef46594994e8 /base/ca/shared/conf/serverCert.profile.exampleWithSANpattern | |
| parent | 79c5627ae28840756d99928fd33701552cc93322 (diff) | |
| download | pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.tar.gz pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.tar.xz pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.zip | |
Ticket 1316 Allow adding SAN to server cert during the install process
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
Diffstat (limited to 'base/ca/shared/conf/serverCert.profile.exampleWithSANpattern')
| -rw-r--r-- | base/ca/shared/conf/serverCert.profile.exampleWithSANpattern | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern b/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern new file mode 100644 index 000000000..5ca44270e --- /dev/null +++ b/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern @@ -0,0 +1,68 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet +list=2,4,5,6,7,8 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +# allows SAN to be specified from client side +# need to: +# 1. add 8 to list above +# 2. change below to reflect the number of general names, and +# turn each corresponding subjAltExtPattern_<num> to true +# 8.default.params.subjAltNameNumGNs +8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault +8.default.name=Subject Alternative Name Extension Default +8.default.params.subjAltExtGNEnable_0=true +8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ +8.default.params.subjAltExtType_0=DNSName +8.default.params.subjAltExtGNEnable_1=true +8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ +8.default.params.subjAltExtType_1=DNSName +8.default.params.subjAltExtGNEnable_2=true +8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ +8.default.params.subjAltExtType_2=DNSName +8.default.params.subjAltExtGNEnable_3=true +8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ +8.default.params.subjAltExtType_3=DNSName +8.default.params.subjAltExtType_4=OtherName +8.default.params.subjAltExtSource_4=UUID4 +8.default.params.subjAltExtPattern_4=(IA5String)1.2.3.4,$server.source$ +8.default.params.subjAltExtGNEnable_4=true +8.default.params.subjAltExtType_5=DNSName +8.default.params.subjAltExtPattern_5=myhost.example.com +8.default.params.subjAltExtGNEnable_5=true +8.default.params.subjAltNameExtCritical=false +8.default.params.subjAltNameNumGNs=6 |