当前位置: 文江博客话题详情

KRB5KDC客户端名称不匹配在freeipa,通过证书身份验证

发布于 2025-01-19 00:32:15 字数 2327 浏览 9 评论 0原文

情况是我正在使用标准证书创建配置文件为 FreeIPA 创建用户证书。但每次当我尝试使用证书以域用户身份登录时,我都会看到消息“客户端名称不匹配”。据我了解,这条消息是由kerberos发送的,但绝对不清楚他不喜欢我的证书的什么。 同时,我可以安全地以用户身份登录,并通过无需证书登录来获取 Kerberos 票证。

如果我尝试通过证书获取 Kerberos 票证,这就是命令返回给我的内容:

KRB5_TRACE=/dev/stdout kinit -X X509_user_identity=FILE:/root/arantin.pem,/root/arantin.key arantin
[9541] 1649160627.927861: Getting initial credentials for [email protected]
[9541] 1649160627.928000: Sending request (167 bytes) to FREE.IPA
[9541] 1649160627.928150: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.928265: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160627.930303: Received answer (292 bytes) from stream 192.168.3.3:88
[9541] 1649160627.930330: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.930421: Response was from master KDC
[9541] 1649160627.930477: Received error from KDC: -1765328359/Additional pre-authentication required
[9541] 1649160627.930505: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[9541] 1649160627.930528: Selected etype info: etype aes256-cts, salt "9X\Clzp2xtK\fDk_", params ""
[9541] 1649160627.930547: Received cookie: MIT
[9541] 1649160627.930717: Preauth module pkinit (147) (info) returned: 0/Success
[9541] 1649160627.930893: PKINIT client computed kdc-req-body checksum 9/AC06024CC2069A9C1060B15A3403C8E8BD6447CC
[9541] 1649160627.930912: PKINIT client making DH request
[9541] 1649160628.173868: Preauth module pkinit (16) (real) returned: 0/Success
[9541] 1649160628.173901: Produced preauth for next request: 133, 16
[9541] 1649160628.173930: Sending request (2844 bytes) to FREE.IPA
[9541] 1649160628.174001: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.174096: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160628.176732: Received answer (161 bytes) from stream 192.168.3.3:88
[9541] 1649160628.176758: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.176814: Response was from master KDC
[9541] 1649160628.176851: Received error from KDC: -1765328309/Client name mismatch
kinit: Client name mismatch while getting initial credentials

我需要了解如何在 FreeIPA 上配置证书颁发配置文件,以便它们工作并接收 kerberos 票证。

原文

the situation is that I am creating a user certificate for FreeIPA using standard certificate creation profiles. But every time I see the message "Client name mismatch" when I try to log in as a domain user using a certificate. This message, as I understand it, is sent by kerberos, but it is absolutely not clear what he does not like about my certificate.
At the same time, I can safely log in as a user and get a Kerberos ticket by logging in without a certificate.

This is what the command returns to me if I try to get a Kerberos ticket by certificate:

KRB5_TRACE=/dev/stdout kinit -X X509_user_identity=FILE:/root/arantin.pem,/root/arantin.key arantin
[9541] 1649160627.927861: Getting initial credentials for [email protected]
[9541] 1649160627.928000: Sending request (167 bytes) to FREE.IPA
[9541] 1649160627.928150: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.928265: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160627.930303: Received answer (292 bytes) from stream 192.168.3.3:88
[9541] 1649160627.930330: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.930421: Response was from master KDC
[9541] 1649160627.930477: Received error from KDC: -1765328359/Additional pre-authentication required
[9541] 1649160627.930505: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[9541] 1649160627.930528: Selected etype info: etype aes256-cts, salt "9X\Clzp2xtK\fDk_", params ""
[9541] 1649160627.930547: Received cookie: MIT
[9541] 1649160627.930717: Preauth module pkinit (147) (info) returned: 0/Success
[9541] 1649160627.930893: PKINIT client computed kdc-req-body checksum 9/AC06024CC2069A9C1060B15A3403C8E8BD6447CC
[9541] 1649160627.930912: PKINIT client making DH request
[9541] 1649160628.173868: Preauth module pkinit (16) (real) returned: 0/Success
[9541] 1649160628.173901: Produced preauth for next request: 133, 16
[9541] 1649160628.173930: Sending request (2844 bytes) to FREE.IPA
[9541] 1649160628.174001: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.174096: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160628.176732: Received answer (161 bytes) from stream 192.168.3.3:88
[9541] 1649160628.176758: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.176814: Response was from master KDC
[9541] 1649160628.176851: Received error from KDC: -1765328309/Client name mismatch
kinit: Client name mismatch while getting initial credentials

I need to understand how to configure certificate issuance profiles on FreeIPA so that they work and receive a kerberos ticket.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

梦中的蝴蝶 2025-01-26 00:32:15

我会回答自己。问题在于,有必要将以下行添加到KDM和KRB5配置 - 在领域和libdefaults块中,

pkinit_eku_checking = none 
pkinit_allow_upn = true.

您还需要创建一个新的配置文件。 Freeipa的说明
https://www.freeipa.org/page/page/page/page/v4/certificate_profiles

>


profileId=KDCs_PKINIT_Certs
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
visible=false
enable=true
enableBy=ipara
auth.instance_id=raCertAuth
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,O=FREE.IPA
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.free.ipa/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.free.ipa/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.13.default.name=Subject Alt Name Constraint
policyset.serverCertSet.13.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.13.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.13.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$@FREE.IPA
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.13.default.params.subjAltExtType_1=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,[email protected]
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_1=true
policyset.serverCertSet.13.default.params.subjAltNameNumGNs=2

@ a Freeipa-用您的域部分替换

I'll answer myself. The problem was that it was necessary to add the following lines to the kdm and krb5 configs - to the realms and libdefaults blocks, respectively

pkinit_eku_checking = none 
pkinit_allow_upn = true.

You will also need to create a new profile. Instructions from FreeIPA
https://www.freeipa.org/page/V4/Certificate_Profiles

Certificate example


profileId=KDCs_PKINIT_Certs
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
visible=false
enable=true
enableBy=ipara
auth.instance_id=raCertAuth
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,O=FREE.IPA
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.free.ipa/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.free.ipa/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.13.default.name=Subject Alt Name Constraint
policyset.serverCertSet.13.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.13.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.13.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$@FREE.IPA
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.13.default.params.subjAltExtType_1=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,[email protected]
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_1=true
policyset.serverCertSet.13.default.params.subjAltNameNumGNs=2

@FreeIPA - replace it with your domain part

回复 原文
~没有更多了~

关于作者

柒七

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

櫻之舞

文章 0 评论 0

弥枳

文章 0 评论 0

m2429

文章 0 评论 0

寻找一个思念的角度

文章 0 评论 0

野却迷人

文章 0 评论 0

我怀念的。

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文