When pkispawn is run to utilize an External CA, there are no X.509 v3 extensions added to the certificate signing request (CSR) to signify to the certificate authority (CA) that the request is for a subordinate CA. This situation manifests in conditions where the CA is not a Dogtag Certificate Server.
Proposed Milestone: 10.2.1 (per CS Meeting of 09/17/2014)
pushed to master: commit ee33bb2a90a183b9d5552c6ac193e9d8958a3974
information about this patch: It was agreed upon that this patch just needs to provide the bare essential to do the job without anything fancy.
As a result, four new pkispawn configuration parameters are introduced with the following default: pki_req_ext_add=False pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041
where pki_req_ext_add controls whether this extra request extension is to be added or not to the csr of a CA signing cert (by default it's False). It is available only for the "external CA" case, and only one such extension can be added.
There is a potential that in the future we could make this extension available for all cert requests and in multiple. However, it is not a goal at this time for the purpose of this patch. When the need arises, we will file a separate ticket for it.
pushed to DOGTAG_10_1_BRANCH :
commit 7da4d9802f058f2f78777928c7e259578ad6daef
Metadata Update from @mharmsen: - Issue assigned to cfu - Issue set to the milestone: 10.2.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1673
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.