Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name
63
3. To enable the CA to insert the LDAP attribute value in the certificate extension, edit the profile's
configuration file, and insert a policy set parameter for an extension. For example, to insert the
attribute value in the Subject Alternative Name extension in the caDirUser profile, do the
following:
cd /var/lib/
subsystem_name
/profiles/ca
vi caDirUser.cfg
policyset.setID.8.default.params.
subjAltExtPattern_0=$request.auth_token.mail$
4. Restart the CA.
service pki-ca restart
For this example, certificates submitted through the caDirUser profile enrollment form will have the
Subject Alternative Name extension added with the value of the requester's
LDAP attribute. For
example:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
RFC822Name: [email protected]
There are many attributes which can be automatically inserted into certificates by being set as a
token (
$X$
) in any of the
Pattern_
parameters in the policy set. The common tokens are listed in
Table 2.6, “Variables Used to Populate Certificates”
, and the default profiles contain examples for how
these tokens are used.
Policy Set Token
Description
$request.auth_token.cn$
The LDAP common name (
cn
) attribute of the user who requested the certificate.
$request.auth_token.mail$
The value of the LDAP email (
) attribute of the user who requested the certificate.
$request.auth_token.tokenCertSubject
$
The certificate subject name.
$request.auth_token.uid$
The LDAP user ID (
uid
) attribute of the user who requested the certificate.
$request.auth_token.user$
$request.auth_token.userDN$ The user DN of the user who requested the certificate.
$request.auth_token.userid$
The value of the user ID attribute for the user who requested the certificate.
$request.uid$
The value of the user ID attribute for the user who requested the certificate.
$request.profileRemoteAddr$
The IP address of the user making the request. This can be an IPv4 or an IPv6 address, depending on the client. An IPv4
address must be in the format
n.n.n.n
or
n.n.n.n,m.m.m.m
. For example,
128.21.39.40
or
128.21.39.40,255.255.255.00
. An
IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods.
For example,
0:0:0:0:0:0:13.1.68.3
,
FF01::43
,
0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0
, and
FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000
.
$request.profileRemoteHost$
The hostname or IP address of the user's machine. The hostname can be the fully-qualified domain name
and the protocol, such as
http://server.example.com
. An IPv4 address must be in the format
n.n.n.n
or
n.n.n.n,m.m.m.m
. For example,
128.21.39.40
or
128.21.39.40,255.255.255.00
. An IPv6 address uses a 128-
bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example,
Summary of Contents for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Page 42: ...20 ...
Page 43: ...Part I Setting up Certificate Services ...
Page 44: ......
Page 190: ...168 ...
Page 208: ...186 ...
Page 223: ...Part II Additional Configuration to Manage CA Services ...
Page 224: ......
Page 256: ...234 ...
Page 270: ...248 ...
Page 280: ...258 ...
Page 292: ...270 ...
Page 293: ...Part III Managing the Subsystem Instances ...
Page 294: ......
Page 408: ...386 ...
Page 438: ...416 ...
Page 439: ...Part IV References ...
Page 440: ......
Page 503: ...Netscape Defined Certificate Extensions Reference 481 OID 2 16 840 1 113730 13 ...
Page 504: ...482 ...
Page 556: ...534 ...
Page 564: ...542 ...