Hello

I'm trying to sign an CSR which has multiple CN in the certificate subject. 
When the certificate is signed it only contains one CN in the subject (should 
be 2, site1.domain.tld and site2.domain.tld), and furthermore only two 
alternative names (should be 3 – missing the site2.domain.tld), see below for 
output example.

Does anyone why this is happening, and if there is a way around it? The 
documentation on this seems a bit sparse (or hard to find?), so I'd really 
appreciate some input.

The private.domain.tld is an "virtual" host in Freeipa which has an service 
with 3 principal alias tied to it 
(SERVICE/private.domain....@realm.secret.tld<mailto:SERVICE/private.domain....@realm.secret.tld>,
 
SERVICE/site1.domain....@realm.secret.tld<mailto:SERVICE/site1.domain....@realm.secret.tld>,
 
SERVICE/site2.domain....@realm.secret.tld<mailto:SERVICE/site2.domain....@realm.secret.tld>
 )
-----------------------------------------------
# openssl req -in signingrequest -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: emailAddress=sec...@secret.tld, C=US, O=Secret Orginization, 
CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    -censored-
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:private.secret.tld
    Signature Algorithm: sha1WithRSAEncryption
        -censored-

# ipa cert-request signingrequest.csr --principal=SERVICE/private.domain.tld 
--certificate-out=signingrequest.csr.signed
Issuing CA: ipa
  Certificate: -censored-
  Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
  Subject DNS name: private.domain.tld, site1.domain.tld
  Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
  Not Before: Thu Oct 19 10:27:13 2017 UTC
  Not After: Sun Oct 20 10:27:13 2019 UTC
  Serial number: 35
  Serial number (hex): 0x23

# openssl x509 -in signingrequest.csr.signed -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 23 (0x17)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
        Validity
            Not Before: Thu Oct 19 10:27:13 2017 UTC
            Not After : Sun Oct 20 10:27:13 2019 UTC
        Subject: O=REALM.SECRET.TLD, CN=site1.secret.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    -censored-
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:-censored-

            Authority Information Access:
                OCSP - URI:http://ipa-ca.secret.tld/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data 
Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://ipa-ca.sensor.secret.tld/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier:
                -censored-
            X509v3 Subject Alternative Name:
                DNS:private.secret.tld, DNS:site1.secret.tld
    Signature Algorithm: sha256WithRSAEncryption
         -censored-
-----------------------------------------------
Vennlig hilsen

Joel Kåberg
Sikkerhetsanalytiker, HelseCERT
norskhelsenett
 +47 7356 5710 |  +47 979 54 918
www.nhn.no
________________________________

Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, tapes, 
ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig kode. 
E-posten ble sjekket for skadelig kode før utsendelse fra Norsk Helsenett SF.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to