Hi Oliver,
On Freitag, 16. September 2016 12:54:44 CEST Oliver Welter wrote:
> > First things we're targeting:
> > - in the SAN field we'd like to change the input fields (allow ipv6
> > addresses...)
>
> Thats easy - have a look at the profile definition in the
> realm/ca-one/profile folder, in the "ui -> san" block add a new
> definition, e.g. "ipv6". Then go to the template/ subfolder, make a copy
> from the ipv4.yaml file and adjust the regex to match your desired format.
ok, I did the following:
First I tried to add san_ipv6 as you suggested. This somehow worked, but ended
in the san-field of the certificate not being proper populated (instead of "IP
Address: aaa::1") the label was missing, so it showed (":aaa::1"). Changing
the id to "ip" in the san_ipv6.yaml caused validation errors (looks like the
regex from san_ipv4 was applied...).
Anyway. I decided to modify the ipv4 type, since in the csr there's no
difference between ipv4 and ipv6 san addresses - it's always "IP Address:
<...>". This accepted ipv4 and ipv6 addresses when creating a csr, but in the
end the policy was violated. Looks like there's another place where the "ip"
type is checked ?!
I tried to find something in the logfiles, so far no luck...
The certificate is generated without errors, but the IPv6 address is truncated
after the first colon (e.g. "2001:").
So the question for me is:
Is it preferred to go your suggested way and make openxpki somehow to insert
the ipv6 address as "IP Address:" field in the csr or would it be easier to
modify the existing ipv4 type to accept ipv6 as well ?
Thanks,
Andreas
------------------------------------------------------------------------------
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
