On Thu, Oct 19, 2017 at 10:40:12AM +0000, Joel Kåberg via FreeIPA-users wrote:
> Hello
> 
> I'm trying to sign an CSR which has multiple CN in the certificate
> subject. When the certificate is signed it only contains one CN in
> the subject (should be 2, site1.domain.tld and site2.domain.tld),
> and furthermore only two alternative names (should be 3 – missing
> the site2.domain.tld), see below for output example.
> 
> Does anyone why this is happening, and if there is a way around
> it? The documentation on this seems a bit sparse (or hard to
> find?), so I'd really appreciate some input.
> 

This happens because the certificate profile does not take the
Subject DN from the CSR verbatim; instead it picks a few bits out of
the CSR.  This includes a single CN.  This is the behaviour of the
SubjectNameDefault profile component; I do not know a workaround
when using this component.

But you might be able to create a custom profile that uses the
`UserSubjectNameDefault' component instead.  This one does copy the
subject name from the CSR as-is.  I haven't tried this but if you
try it out, let us know how it goes.

Cheers,
Fraser

> The private.domain.tld is an "virtual" host in Freeipa which has an service 
> with 3 principal alias tied to it 
> (SERVICE/private.domain....@realm.secret.tld<mailto:SERVICE/private.domain....@realm.secret.tld>,
>  
> SERVICE/site1.domain....@realm.secret.tld<mailto:SERVICE/site1.domain....@realm.secret.tld>,
>  
> SERVICE/site2.domain....@realm.secret.tld<mailto:SERVICE/site2.domain....@realm.secret.tld>
>  )
> -----------------------------------------------
> # openssl req -in signingrequest -noout -text
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: emailAddress=sec...@secret.tld, C=US, O=Secret Orginization, 
> CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     -censored-
>                 Exponent: 65537 (0x10001)
>         Attributes:
>         Requested Extensions:
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment
>             X509v3 Subject Alternative Name:
>                 DNS:private.secret.tld
>     Signature Algorithm: sha1WithRSAEncryption
>         -censored-
> 
> # ipa cert-request signingrequest.csr --principal=SERVICE/private.domain.tld 
> --certificate-out=signingrequest.csr.signed
> Issuing CA: ipa
>   Certificate: -censored-
>   Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
>   Subject DNS name: private.domain.tld, site1.domain.tld
>   Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
>   Not Before: Thu Oct 19 10:27:13 2017 UTC
>   Not After: Sun Oct 20 10:27:13 2019 UTC
>   Serial number: 35
>   Serial number (hex): 0x23
> 
> # openssl x509 -in signingrequest.csr.signed -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 23 (0x17)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
>         Validity
>             Not Before: Thu Oct 19 10:27:13 2017 UTC
>             Not After : Sun Oct 20 10:27:13 2019 UTC
>         Subject: O=REALM.SECRET.TLD, CN=site1.secret.tld
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     -censored-
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
>                 keyid:-censored-
> 
>             Authority Information Access:
>                 OCSP - URI:http://ipa-ca.secret.tld/ca/ocsp
> 
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Key Encipherment, Data 
> Encipherment
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client Authentication
>             X509v3 CRL Distribution Points:
> 
>                 Full Name:
>                   URI:http://ipa-ca.sensor.secret.tld/ipa/crl/MasterCRL.bin
>                 CRL Issuer:
>                   DirName: O = ipaca, CN = Certificate Authority
> 
>             X509v3 Subject Key Identifier:
>                 -censored-
>             X509v3 Subject Alternative Name:
>                 DNS:private.secret.tld, DNS:site1.secret.tld
>     Signature Algorithm: sha256WithRSAEncryption
>          -censored-
> -----------------------------------------------
> Vennlig hilsen
> 
> Joel Kåberg
> Sikkerhetsanalytiker, HelseCERT
> norskhelsenett
>  +47 7356 5710 |  +47 979 54 918
> www.nhn.no
> ________________________________
> 
> Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
> skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
> Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
> PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
> at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
> konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, 
> tapes, ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig 
> kode. E-posten ble sjekket for skadelig kode før utsendelse fra Norsk 
> Helsenett SF.
> 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to