From e2683d6a8f6211ac58a5674aaa626814f26ebbf2 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 15 Apr 2015 10:58:08 -0700
Subject: Ticket 1316 Allow adding SAN to server cert during the install
 process Usage: * under /usr/share/pki/ca/conf, you will find a new file
 called serverCert.profile.exampleWithSANpattern * copy existing
 serverCert.profile away and replace with
 serverCert.profile.exampleWithSANpattern * edit
 serverCert.profile.exampleWithSANpattern   - follow the instruction right
 above 8.default.   - save and quit * cd /usr/share/pki/ca/profiles/ca , edit
 caInternalAuthServerCert.cfg   - follow the instruction right above
 policyset.serverCertSet.9   - save and quit * save away and edit the ca
 config file for pkispawn: (note: you can add multiple SAN's delimited by ','
 for pki_san_server_cert   - add the following lines, e.g.    
 pki_san_inject=True     pki_san_server_cert=host1.Example.com   - do the same
 pkispawn cfg changes for kra or any other instances that you plan on creating
 * create your instance(s)   check the sl sever cert, it should contain
 something like the following:

                Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: no
                    Value:
                        DNSName: host1.Example.com
---
 .../conf/serverCert.profile.exampleWithSANpattern  | 68 ++++++++++++++++++++++
 .../profiles/ca/caInternalAuthServerCert.cfg       | 23 ++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 base/ca/shared/conf/serverCert.profile.exampleWithSANpattern

(limited to 'base/ca')

diff --git a/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern b/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern
new file mode 100644
index 000000000..5ca44270e
--- /dev/null
+++ b/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern
@@ -0,0 +1,68 @@
+#
+# Server Certificate
+#
+id=serverCert.profile
+name=All Purpose SSL server cert Profile
+description=This profile creates an SSL server certificate that is valid for SSL servers
+profileIDMapping=caServerCert
+profileSetIDMapping=serverCertSet
+list=2,4,5,6,7,8
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=true
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=true
+6.default.params.keyUsageKeyAgreement=false
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+# allows SAN to be specified from client side
+# need to:
+# 1. add 8 to list above
+# 2. change below to reflect the number of general names, and
+#    turn each corresponding subjAltExtPattern_<num> to true
+#      8.default.params.subjAltNameNumGNs
+8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault
+8.default.name=Subject Alternative Name Extension Default
+8.default.params.subjAltExtGNEnable_0=true
+8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
+8.default.params.subjAltExtType_0=DNSName
+8.default.params.subjAltExtGNEnable_1=true
+8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
+8.default.params.subjAltExtType_1=DNSName
+8.default.params.subjAltExtGNEnable_2=true
+8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
+8.default.params.subjAltExtType_2=DNSName
+8.default.params.subjAltExtGNEnable_3=true
+8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
+8.default.params.subjAltExtType_3=DNSName
+8.default.params.subjAltExtType_4=OtherName
+8.default.params.subjAltExtSource_4=UUID4
+8.default.params.subjAltExtPattern_4=(IA5String)1.2.3.4,$server.source$
+8.default.params.subjAltExtGNEnable_4=true
+8.default.params.subjAltExtType_5=DNSName
+8.default.params.subjAltExtPattern_5=myhost.example.com
+8.default.params.subjAltExtGNEnable_5=true
+8.default.params.subjAltNameExtCritical=false
+8.default.params.subjAltNameNumGNs=6
diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
index 719351080..f145325f0 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -8,6 +8,7 @@ name=Security Domain Server Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl
 input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=subjectAltNameExtInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=serverCertSet
@@ -84,3 +85,25 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA25
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
+# allows SAN to be specified from client side
+# need to:
+# 1. add i3 to input.list above
+# 2. add 9 to policyset.serverCertSet.list above
+# 3. change below to reflect the number of general names, and
+#    turn each corresponding subjAltExtPattern_<num> to true
+#      policyset.serverCertSet.9.default.params.subjAltNameNumGNs
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
+policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default
+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
+policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
+policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false
+policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
+policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName
+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false
+policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
+policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName
+policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
+policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
-- 
cgit