Ask Your Question
1

How to enable subjectAltName when signing certificates in pki-ca

asked 2018-03-23 14:58:32 -0500

SypsG gravatar image

We installed pki-ca (10.4.1-17 - latest from the repo) on a CentOS 7.4 server so we could sign our own SSL certificates.

When we approve the requests, the subjectAltNames from the CSR's are not included in the certificates.

I have added the following lines to /usr/share/pki/ca/profiles/ca/caServerCert.cfg, and changed the serverCertSet.list to include 9 at the end of it: policyset.serverCertSet.9.constraint.classid=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.constraint.subjAltNameExtCritical=false policyset.serverCertSet.9.default.classid=userExtensionDefaultImpl policyset.serverCertSet.9.default.name=User Supplied Extension Default policyset.serverCertSet.9.default.params.userExtOID=2.5.29.17

What else do we need to do to include the subjectAltNames in the certificates?

Thanks, George

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-03-29 09:15:40 -0500

SypsG gravatar image

I looked at my configuration and the OID was 2.5.29.37 instead of .17.

I copied the configuration example from a bad reference.

Also, the configuration filename I needed to edit was located in two places, and the one I had configured according to that same documentation was not having an effect. I had to modify /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg instead.

Lastly, "service pki-ca start" did not do anything, because there is no service named pki-ca. I had to use "pki-server instance-stop|start pki-tomcat" to get it to start.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2018-03-23 14:58:32 -0500

Seen: 98 times

Last updated: Mar 29 '18