I'm trying to sign a CSR from an Cisco AnyConnect (server) instance to be used 
for site to site connections (client's are enrolled with the FreeIPA instance) 
- as far as I figured, validation only happens with the subject when using 
AnyConnect.

What I was hoping would happen is for the signing process is to simply 'copy' 
an sign what was inputted.

I will investigate certification profile's further and let you know how it goes.


Vennlig hilsen

Joel Kåberg
Sikkerhetsanalytiker, HelseCERT
Norsk Helsenett
+47 7356 5710 | +47 979 54 918
www.nhn.no

Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, tapes, 
ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig kode. 
E-posten ble sjekket for skadelig kode før utsendelse fra Norsk Helsenett SF.

-----Opprinnelig melding-----
Fra: Fraser Tweedale [mailto:ftwee...@redhat.com]
Sendt: fredag 20. oktober 2017 01.25
Til: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Kopi: Joel Kåberg <joel.kab...@nhn.no>
Emne: Re: [Freeipa-users] Unable to sign CSR with multiple CN in subject

On Thu, Oct 19, 2017 at 10:40:12AM +0000, Joel Kåberg via FreeIPA-users wrote:
> Hello
>
> I'm trying to sign an CSR which has multiple CN in the certificate
> subject. When the certificate is signed it only contains one CN in the
> subject (should be 2, site1.domain.tld and site2.domain.tld), and
> furthermore only two alternative names (should be 3 – missing the
> site2.domain.tld), see below for output example.
>
> Does anyone why this is happening, and if there is a way around it?
> The documentation on this seems a bit sparse (or hard to find?), so
> I'd really appreciate some input.
>

This happens because the certificate profile does not take the Subject DN from 
the CSR verbatim; instead it picks a few bits out of the CSR.  This includes a 
single CN.  This is the behaviour of the SubjectNameDefault profile component; 
I do not know a workaround when using this component.

But you might be able to create a custom profile that uses the 
`UserSubjectNameDefault' component instead.  This one does copy the subject 
name from the CSR as-is.  I haven't tried this but if you try it out, let us 
know how it goes.

Cheers,
Fraser

> The private.domain.tld is an "virtual" host in Freeipa which has an
> service with 3 principal alias tied to it
> (SERVICE/private.domain....@realm.secret.tld<mailto:SERVICE/private.do
> main....@realm.secret.tld>,
> SERVICE/site1.domain....@realm.secret.tld<mailto:SERVICE/site1.domain.
> t...@realm.secret.tld>,
> SERVICE/site2.domain....@realm.secret.tld<mailto:SERVICE/site2.domain.
> t...@realm.secret.tld> )
> -----------------------------------------------
> # openssl req -in signingrequest -noout -text Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: emailAddress=sec...@secret.tld, C=US, O=Secret Orginization, 
> CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     -censored-
>                 Exponent: 65537 (0x10001)
>         Attributes:
>         Requested Extensions:
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment
>             X509v3 Subject Alternative Name:
>                 DNS:private.secret.tld
>     Signature Algorithm: sha1WithRSAEncryption
>         -censored-
>
> # ipa cert-request signingrequest.csr
> --principal=SERVICE/private.domain.tld
> --certificate-out=signingrequest.csr.signed
> Issuing CA: ipa
>   Certificate: -censored-
>   Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
>   Subject DNS name: private.domain.tld, site1.domain.tld
>   Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
>   Not Before: Thu Oct 19 10:27:13 2017 UTC
>   Not After: Sun Oct 20 10:27:13 2019 UTC
>   Serial number: 35
>   Serial number (hex): 0x23
>
> # openssl x509 -in signingrequest.csr.signed -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 23 (0x17)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
>         Validity
>             Not Before: Thu Oct 19 10:27:13 2017 UTC
>             Not After : Sun Oct 20 10:27:13 2019 UTC
>         Subject: O=REALM.SECRET.TLD, CN=site1.secret.tld
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     -censored-
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
>                 keyid:-censored-
>
>             Authority Information Access:
>                 OCSP - URI:http://ipa-ca.secret.tld/ca/ocsp
>
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Key Encipherment, Data 
> Encipherment
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client Authentication
>             X509v3 CRL Distribution Points:
>
>                 Full Name:
>                   URI:http://ipa-ca.sensor.secret.tld/ipa/crl/MasterCRL.bin
>                 CRL Issuer:
>                   DirName: O = ipaca, CN = Certificate Authority
>
>             X509v3 Subject Key Identifier:
>                 -censored-
>             X509v3 Subject Alternative Name:
>                 DNS:private.secret.tld, DNS:site1.secret.tld
>     Signature Algorithm: sha256WithRSAEncryption
>          -censored-
> -----------------------------------------------
> Vennlig hilsen
>
> Joel Kåberg
> Sikkerhetsanalytiker, HelseCERT
> norskhelsenett
>  +47 7356 5710 |  +47 979 54 918
> www.nhn.no
> ________________________________
>
> Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
> skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
> Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
> PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
> at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
> konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, 
> tapes, ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig 
> kode. E-posten ble sjekket for skadelig kode før utsendelse fra Norsk 
> Helsenett SF.
>

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to