diff options
| author | Christina Fu <cfu@redhat.com> | 2015-04-15 10:58:08 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2015-04-21 18:24:32 -0700 |
| commit | e2683d6a8f6211ac58a5674aaa626814f26ebbf2 (patch) | |
| tree | cb6e9fae0990b334ee1acd6333f8ef46594994e8 /base/ca | |
| parent | 79c5627ae28840756d99928fd33701552cc93322 (diff) | |
| download | pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.tar.gz pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.tar.xz pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.zip | |
Ticket 1316 Allow adding SAN to server cert during the install process
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
Diffstat (limited to 'base/ca')
| -rw-r--r-- | base/ca/shared/conf/serverCert.profile.exampleWithSANpattern | 68 | ||||
| -rw-r--r-- | base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 23 |
2 files changed, 91 insertions, 0 deletions
diff --git a/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern b/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern new file mode 100644 index 000000000..5ca44270e --- /dev/null +++ b/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern @@ -0,0 +1,68 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet +list=2,4,5,6,7,8 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +# allows SAN to be specified from client side +# need to: +# 1. add 8 to list above +# 2. change below to reflect the number of general names, and +# turn each corresponding subjAltExtPattern_<num> to true +# 8.default.params.subjAltNameNumGNs +8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault +8.default.name=Subject Alternative Name Extension Default +8.default.params.subjAltExtGNEnable_0=true +8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ +8.default.params.subjAltExtType_0=DNSName +8.default.params.subjAltExtGNEnable_1=true +8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ +8.default.params.subjAltExtType_1=DNSName +8.default.params.subjAltExtGNEnable_2=true +8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ +8.default.params.subjAltExtType_2=DNSName +8.default.params.subjAltExtGNEnable_3=true +8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ +8.default.params.subjAltExtType_3=DNSName +8.default.params.subjAltExtType_4=OtherName +8.default.params.subjAltExtSource_4=UUID4 +8.default.params.subjAltExtPattern_4=(IA5String)1.2.3.4,$server.source$ +8.default.params.subjAltExtGNEnable_4=true +8.default.params.subjAltExtType_5=DNSName +8.default.params.subjAltExtPattern_5=myhost.example.com +8.default.params.subjAltExtGNEnable_5=true +8.default.params.subjAltNameExtCritical=false +8.default.params.subjAltNameNumGNs=6 diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg index 719351080..f145325f0 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -8,6 +8,7 @@ name=Security Domain Server Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=subjectAltNameExtInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet @@ -84,3 +85,25 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA25 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- +# allows SAN to be specified from client side +# need to: +# 1. add i3 to input.list above +# 2. add 9 to policyset.serverCertSet.list above +# 3. change below to reflect the number of general names, and +# turn each corresponding subjAltExtPattern_<num> to true +# policyset.serverCertSet.9.default.params.subjAltNameNumGNs +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl +policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default +policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true +policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ +policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName +policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false +policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ +policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName +policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false +policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ +policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName +policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false +policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 |