Fraser Tweedale via FreeIPA-users wrote:
On Thu, Oct 19, 2017 at 10:40:12AM +0000, Joel Kåberg via FreeIPA-users wrote:
Hello

I'm trying to sign an CSR which has multiple CN in the certificate
subject. When the certificate is signed it only contains one CN in
the subject (should be 2, site1.domain.tld and site2.domain.tld),
and furthermore only two alternative names (should be 3 – missing
the site2.domain.tld), see below for output example.

Does anyone why this is happening, and if there is a way around
it? The documentation on this seems a bit sparse (or hard to
find?), so I'd really appreciate some input.


This happens because the certificate profile does not take the
Subject DN from the CSR verbatim; instead it picks a few bits out of
the CSR.  This includes a single CN.  This is the behaviour of the
SubjectNameDefault profile component; I do not know a workaround
when using this component.

But you might be able to create a custom profile that uses the
`UserSubjectNameDefault' component instead.  This one does copy the
subject name from the CSR as-is.  I haven't tried this but if you
try it out, let us know how it goes.

Cheers,
Fraser

I just wonder if he is trying to do SAN via the subject which AFAIU won't work. I believe only the RDN will be used when using subject to compare to hostname (and even that is being rapidly deprecated and not supported).

rob


The private.domain.tld is an "virtual" host in Freeipa which has an service with 3 principal 
alias tied to it 
(SERVICE/private.domain....@realm.secret.tld<mailto:SERVICE/private.domain....@realm.secret.tld>, 
SERVICE/site1.domain....@realm.secret.tld<mailto:SERVICE/site1.domain....@realm.secret.tld>, 
SERVICE/site2.domain....@realm.secret.tld<mailto:SERVICE/site2.domain....@realm.secret.tld> )
-----------------------------------------------
# openssl req -in signingrequest -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: emailAddress=sec...@secret.tld, C=US, O=Secret Orginization, 
CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    -censored-
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:private.secret.tld
    Signature Algorithm: sha1WithRSAEncryption
        -censored-

# ipa cert-request signingrequest.csr --principal=SERVICE/private.domain.tld 
--certificate-out=signingrequest.csr.signed
Issuing CA: ipa
  Certificate: -censored-
  Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
  Subject DNS name: private.domain.tld, site1.domain.tld
  Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
  Not Before: Thu Oct 19 10:27:13 2017 UTC
  Not After: Sun Oct 20 10:27:13 2019 UTC
  Serial number: 35
  Serial number (hex): 0x23

# openssl x509 -in signingrequest.csr.signed -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 23 (0x17)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
        Validity
            Not Before: Thu Oct 19 10:27:13 2017 UTC
            Not After : Sun Oct 20 10:27:13 2019 UTC
        Subject: O=REALM.SECRET.TLD, CN=site1.secret.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    -censored-
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:-censored-

            Authority Information Access:
                OCSP - URI:http://ipa-ca.secret.tld/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data 
Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://ipa-ca.sensor.secret.tld/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier:
                -censored-
            X509v3 Subject Alternative Name:
                DNS:private.secret.tld, DNS:site1.secret.tld
    Signature Algorithm: sha256WithRSAEncryption
         -censored-
-----------------------------------------------
Vennlig hilsen

Joel Kåberg
Sikkerhetsanalytiker, HelseCERT
norskhelsenett
 +47 7356 5710 |  +47 979 54 918
www.nhn.no
________________________________

Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, tapes, 
ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig kode. 
E-posten ble sjekket for skadelig kode før utsendelse fra Norsk Helsenett SF.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to