#1110 pkispawn (configuration) does not provide CA extensions in subordinate certificate signing requests (CSR)
Closed: Fixed None Opened 10 years ago by mharmsen.

When pkispawn is run to utilize an External CA, there are no X.509 v3
extensions added to the certificate signing request (CSR) to signify to the
certificate authority (CA) that the request is for a subordinate CA. This
situation manifests in conditions where the CA is not a Dogtag Certificate
Server.


Proposed Milestone: 10.2.1 (per CS Meeting of 09/17/2014)

pushed to master:
commit ee33bb2a90a183b9d5552c6ac193e9d8958a3974

information about this patch:
It was agreed upon that this patch just needs to provide the bare essential to do the job without anything fancy.

As a result, four new pkispawn configuration parameters are introduced with the following default:
pki_req_ext_add=False
pki_req_ext_oid=1.3.6.1.4.1.311.20.2
pki_req_ext_critical=False
pki_req_ext_data=1E0A00530075006200430041

where pki_req_ext_add controls whether this extra request extension is to be added or not to the csr of a CA signing cert (by default it's False). It is available only for the "external CA" case, and only one such extension can be added.

There is a potential that in the future we could make this extension available for all cert requests and in multiple. However, it is not a goal at this time for the purpose of this patch. When the need arises, we will file a separate ticket for it.

pushed to DOGTAG_10_1_BRANCH :

commit 7da4d9802f058f2f78777928c7e259578ad6daef

Metadata Update from @mharmsen:
- Issue assigned to cfu
- Issue set to the milestone: 10.2.1

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1673

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata