Bug 442800
|
Description
Christina Fu
2008-04-16 21:10:30 UTC
Created attachment 302679 [details]
added implementation for support of UUID in Subject Alternative name extension
added implementation for support of UUID in Subject Alternative name extension
Created attachment 302680 [details]
sample profile to be used. default to be not enabled
sample profile to be used. default to be not enabled
please code review. thanks. attachment (id=302679) +awnuk attachment (id=302680) +awnuk Created attachment 302814 [details]
a little refinement to clarify this is only UUID version 4 plus making the pattern flexible as others
Created attachment 302815 [details]
and example profile cfg to go with the refinement
note the $server.source$ pattern and the UUID4 source.
Created attachment 302822 [details]
two spec files changed
Created attachment 302823 [details]
CS.cfg diff
this should complete all the changes submitted.
please review.
attachment (id=302822) +mharmsen attachment (id=302815) +awnuk attachment (id=302814) +awnuk attachment (id=302823) +awnuk attachment (id=302822) +mharmsen Created attachment 302826 [details]
CS.cfg take 2 - reflect change of profile name
Created attachment 302827 [details]
profile name changed
attachment (id=302826) +awnuk attachment (id=302827) +awnuk [cfu@jaw ca]$ svn add caUUIDdeviceCert.cfg A caUUIDdeviceCert.cfg [cfu@jaw ca]$ pwd /home/cfu/dogtag/src0/pki/base/ca/shared/profiles/ca [cfu@jaw ca]$ cd - /home/cfu/dogtag/src0/pki/ [cfu@jaw pki]$ svn update base/ca/shared/conf/CS.cfg base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java linux/ca/pki-ca.spec linux/common/pki-common.spec At revision 26. At revision 26. At revision 26. At revision 26. [cfu@jaw pki]$ svn commit base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg base/ca/shared/conf/CS.cfg base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java linux/ca/pki-ca.spec linux/common/pki-common.spec Sending base/ca/shared/conf/CS.cfg Adding base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg Sending base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java Sending linux/ca/pki-ca.spec Sending linux/common/pki-common.spec Transmitting file data ..... Committed revision 27. I think what we have here is enough for 8.0. If agree, close the bug with modified. I've enabled "Manual device Dual-Use Certificate Enrollment to contain UUID in SAN" in the agent pages.Then, issued a cert with this profile from EE pages with a random UUID picked from elsewhere - certificate was issued and subjectaltname extension as below from the issued certificate
..........
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
OtherName: (IA5String)1.2.3.4,c29302d0-9d1d-4a3d-9681-7881bc7f7af1
......
Can someone let me know I'm going the right way
can u try with profile caUUIDdeviceCert.cfg since that was the one added for this bug ? Chandra, that is what I tried in comment #17 "caUUIDdeviceCert.cfg" is the *Certificate Profile Id* "Manual device Dual-Use Certificate Enrollment to contain UUID in SAN" is the *Certificate Profile Name* - so this uses the caUUIDdeviceCert.cfg policyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 your output looks good to me. mark it verified. Deon - is this documented ? For Chandra in comment #20: Yes, this is in the docs a little. I opened doc bug 491905 for it, and the relevant links are: * The SubjAltName Extension default section: http://elladeon.fedorapeople.org/RHCS/8.0/admin/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default * The list for the subjaltname configuration tokens for LDAP and other attributes at http://elladeon.fedorapeople.org/RHCS/8.0/admin/Managing_Subject_Names_and_Subject_Alternative_Names.html#Populating_Certificates_with_Directory_Attributes These really just reference using UUID as an option; there's not setup information, if that's required. |