Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to enable subjectAltName when signing certificates in pki-ca

We installed pki-ca (10.4.1-17 - latest from the repo) on a CentOS 7.4 server so we could sign our own SSL certificates.

When we approve the requests, the subjectAltNames from the CSR's are not included in the certificates.

I have added the following lines to /usr/share/pki/ca/profiles/ca/caServerCert.cfg, and changed the serverCertSet.list to include 9 at the end of it: policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.constraint.subjAltNameExtCritical=false policyset.serverCertSet.9.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.9.default.name=User Supplied Extension Default policyset.serverCertSet.9.default.params.userExtOID=2.5.29.17

What else do we need to do to include the subjectAltNames in the certificates?

Thanks, George