For each default, there needs to be information on what patterns or tokens can be used as values. For example, for the subjectaltname default: http://elladeon.fedorapeople.org/RHCS/8.0/admin/Administration_Guide-Certificate_and_CRL_Extensions.html#Administration_Guide-Defaults_Reference-Subject_Alternative_Name_Extension_Default policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ What are the possible values for each subjAltExtPattern_# parameter? That needs to be added. This needs done for both CA profiles and TPS profiles (see bug 488624).
I added the table to the default section: http://elladeon.fedorapeople.org/RHCS/8.0/admin/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default I also tried to make the existing section on inserting LDAP attributes in the subjaltname (which had this table of tokens already) more prominent in the docs: http://elladeon.fedorapeople.org/RHCS/8.0/admin/Managing_Subject_Names_and_Subject_Alternative_Names.html#Populating_Certificates_with_Directory_Attributes That's in a new (major) section on managing the subject name/subjaltname. I've sent an email out to the engineers to make sure all of the possible tokens are included. Also, I'm not sure about the second section, on LDAP attributes, because I also included the UUID token in there. It seems appropriate to me, but I don't know if there is a whole slew of non-LDAP tokens available for the subjaltname that it belongs to, instead. If that's the case, I'll change the docs accordingly. For now, changing to modified.
Deon, Any feedback from eng re LDAP attributes in comment #1 ? Thanks Andrew
Andrew, I *believe* that was covered in the tech reviews for admin chapter 2, in bug 510625. Don't hold me to it, though.
Thanks Deon, comment #7 of bug 510625 :) Cool, then we can close this one.