Bug 442800 - RFE: support UUID in Subject Alternative Name extension
RFE: support UUID in Subject Alternative Name extension
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Profile (Show other bugs)
unspecified
All Linux
high Severity low
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-04-16 17:10 EDT by Christina Fu
Modified: 2015-01-05 20:17 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:28:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
added implementation for support of UUID in Subject Alternative name extension (5.26 KB, text/plain)
2008-04-16 18:04 EDT, Christina Fu
no flags Details
sample profile to be used. default to be not enabled (5.94 KB, text/plain)
2008-04-16 18:05 EDT, Christina Fu
no flags Details
a little refinement to clarify this is only UUID version 4 plus making the pattern flexible as others (4.37 KB, text/plain)
2008-04-17 17:20 EDT, Christina Fu
no flags Details
and example profile cfg to go with the refinement (5.96 KB, application/octet-stream)
2008-04-17 17:22 EDT, Christina Fu
no flags Details
two spec files changed (1.92 KB, text/plain)
2008-04-17 17:59 EDT, Christina Fu
no flags Details
CS.cfg diff (2.04 KB, text/plain)
2008-04-17 18:02 EDT, Christina Fu
no flags Details
CS.cfg take 2 - reflect change of profile name (2.03 KB, application/octet-stream)
2008-04-17 18:45 EDT, Christina Fu
no flags Details
profile name changed (5.96 KB, text/plain)
2008-04-17 18:46 EDT, Christina Fu
no flags Details

  None (edit)
Description Christina Fu 2008-04-16 17:10:30 EDT
Description of problem:
RFE to support UUID in Subject Alternative Name extension.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Christina Fu 2008-04-16 18:04:25 EDT
Created attachment 302679 [details]
added implementation for support of UUID in Subject Alternative name extension

added implementation for support of UUID in Subject Alternative name extension
Comment 2 Christina Fu 2008-04-16 18:05:15 EDT
Created attachment 302680 [details]
sample profile to be used.  default to be not enabled

sample profile to be used.  default to be not enabled
Comment 3 Christina Fu 2008-04-16 18:05:39 EDT
please code review.  thanks.
Comment 4 Andrew Wnuk 2008-04-16 19:07:02 EDT
attachment (id=302679) +awnuk
attachment (id=302680) +awnuk
Comment 5 Christina Fu 2008-04-17 17:20:04 EDT
Created attachment 302814 [details]
a little refinement to clarify this is only UUID version 4 plus making the pattern flexible as others
Comment 6 Christina Fu 2008-04-17 17:22:01 EDT
Created attachment 302815 [details]
and example profile cfg to go with the refinement

note the $server.source$ pattern and the UUID4 source.
Comment 7 Christina Fu 2008-04-17 17:59:10 EDT
Created attachment 302822 [details]
two spec files changed
Comment 8 Christina Fu 2008-04-17 18:02:44 EDT
Created attachment 302823 [details]
CS.cfg diff

this should complete all the changes submitted.
please review.
Comment 9 Matthew Harmsen 2008-04-17 18:35:37 EDT
attachment (id=302822) +mharmsen
Comment 10 Andrew Wnuk 2008-04-17 18:40:34 EDT
attachment (id=302815) +awnuk
attachment (id=302814) +awnuk
attachment (id=302823) +awnuk
attachment (id=302822) +mharmsen
Comment 11 Christina Fu 2008-04-17 18:45:18 EDT
Created attachment 302826 [details]
CS.cfg take 2 - reflect change of profile name
Comment 12 Christina Fu 2008-04-17 18:46:02 EDT
Created attachment 302827 [details]
profile name changed
Comment 13 Andrew Wnuk 2008-04-17 19:02:42 EDT
attachment (id=302826) +awnuk
attachment (id=302827) +awnuk
Comment 14 Christina Fu 2008-04-17 19:03:48 EDT
[cfu@jaw ca]$ svn add caUUIDdeviceCert.cfg
A         caUUIDdeviceCert.cfg
[cfu@jaw ca]$ pwd
/home/cfu/dogtag/src0/pki/base/ca/shared/profiles/ca
[cfu@jaw ca]$ cd -
/home/cfu/dogtag/src0/pki/
[cfu@jaw pki]$ svn update base/ca/shared/conf/CS.cfg
base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
linux/ca/pki-ca.spec linux/common/pki-common.spec
At revision 26.
At revision 26.
At revision 26.
At revision 26.
[cfu@jaw pki]$ svn commit base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
base/ca/shared/conf/CS.cfg
base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
linux/ca/pki-ca.spec linux/common/pki-common.spec
Sending        base/ca/shared/conf/CS.cfg
Adding         base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
Sending       
base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
Sending        linux/ca/pki-ca.spec
Sending        linux/common/pki-common.spec
Transmitting file data .....
Committed revision 27.
Comment 16 Christina Fu 2008-10-15 12:52:08 EDT
I think what we have here is enough for 8.0.  If agree, close the bug with modified.
Comment 17 Kashyap Chamarthy 2009-06-21 14:27:19 EDT
I've enabled "Manual device Dual-Use Certificate Enrollment to contain UUID in SAN" in the agent pages.Then, issued a cert with this profile from EE pages with a random UUID picked from elsewhere - certificate was issued and subjectaltname extension as below from the issued certificate

..........

Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: no 
                    Value: 
                        OtherName: (IA5String)1.2.3.4,c29302d0-9d1d-4a3d-9681-7881bc7f7af1

......

Can someone let me know I'm going the right way
Comment 18 Chandrasekar Kannan 2009-06-23 09:27:53 EDT
can u try with profile caUUIDdeviceCert.cfg since that was the one added for this bug ?
Comment 19 Kashyap Chamarthy 2009-06-23 09:36:57 EDT
Chandra, that is what I tried in comment #17

"caUUIDdeviceCert.cfg" is the *Certificate Profile Id*

"Manual device Dual-Use Certificate Enrollment to contain UUID in
SAN"  is the *Certificate Profile Name*  - so this uses the caUUIDdeviceCert.cfg
Comment 20 Chandrasekar Kannan 2009-06-23 09:47:16 EDT
policyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true
policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4


your output looks good to me. mark it verified.

Deon - is this documented ?
Comment 22 Deon Ballard 2009-06-23 12:43:58 EDT
For Chandra in comment #20:
Yes, this is in the docs a little. I opened doc bug 491905 for it, and the relevant links are: 

* The SubjAltName Extension default section: 
http://elladeon.fedorapeople.org/RHCS/8.0/admin/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default

* The list for the subjaltname configuration tokens for LDAP and other attributes at
http://elladeon.fedorapeople.org/RHCS/8.0/admin/Managing_Subject_Names_and_Subject_Alternative_Names.html#Populating_Certificates_with_Directory_Attributes

These really just reference using UUID as an option; there's not setup information, if that's required.

Note You need to log in before you can comment on or make changes to this bug.