[Freeipa-users] Re: Unable to sign CSR with multiple CN in subject

2017-10-20 Thread Joel Kåberg via FreeIPA-users 
I'm trying to sign a CSR from an Cisco AnyConnect (server) instance to be used 
for site to site connections (client's are enrolled with the FreeIPA instance) 
- as far as I figured, validation only happens with the subject when using 
AnyConnect.

What I was hoping would happen is for the signing process is to simply 'copy' 
an sign what was inputted.

I will investigate certification profile's further and let you know how it goes.


Vennlig hilsen

Joel Kåberg
Sikkerhetsanalytiker, HelseCERT
Norsk Helsenett
+47 7356 5710 | +47 979 54 918
www.nhn.no

Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, tapes, 
ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig kode. 
E-posten ble sjekket for skadelig kode før utsendelse fra Norsk Helsenett SF.

-Opprinnelig melding-
Fra: Fraser Tweedale [mailto:ftwee...@redhat.com]
Sendt: fredag 20. oktober 2017 01.25
Til: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Kopi: Joel Kåberg <joel.kab...@nhn.no>
Emne: Re: [Freeipa-users] Unable to sign CSR with multiple CN in subject

On Thu, Oct 19, 2017 at 10:40:12AM +, Joel Kåberg via FreeIPA-users wrote:
> Hello
>
> I'm trying to sign an CSR which has multiple CN in the certificate
> subject. When the certificate is signed it only contains one CN in the
> subject (should be 2, site1.domain.tld and site2.domain.tld), and
> furthermore only two alternative names (should be 3 – missing the
> site2.domain.tld), see below for output example.
>
> Does anyone why this is happening, and if there is a way around it?
> The documentation on this seems a bit sparse (or hard to find?), so
> I'd really appreciate some input.
>

This happens because the certificate profile does not take the Subject DN from 
the CSR verbatim; instead it picks a few bits out of the CSR.  This includes a 
single CN.  This is the behaviour of the SubjectNameDefault profile component; 
I do not know a workaround when using this component.

But you might be able to create a custom profile that uses the 
`UserSubjectNameDefault' component instead.  This one does copy the subject 
name from the CSR as-is.  I haven't tried this but if you try it out, let us 
know how it goes.

Cheers,
Fraser

> The private.domain.tld is an "virtual" host in Freeipa which has an
> service with 3 principal alias tied to it
> (SERVICE/private.domain@realm.secret.tld<mailto:SERVICE/private.do
> main@realm.secret.tld>,
> SERVICE/site1.domain@realm.secret.tld<mailto:SERVICE/site1.domain.
> t...@realm.secret.tld>,
> SERVICE/site2.domain@realm.secret.tld<mailto:SERVICE/site2.domain.
> t...@realm.secret.tld> )
> ---
> # openssl req -in signingrequest -noout -text Certificate Request:
> Data:
> Version: 0 (0x0)
> Subject: emailAddress=sec...@secret.tld, C=US, O=Secret Orginization, 
> CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> -censored-
> Exponent: 65537 (0x10001)
> Attributes:
> Requested Extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Subject Alternative Name:
> DNS:private.secret.tld
> Signature Algorithm: sha1WithRSAEncryption
> -censored-
>
> # ipa cert-request signingrequest.csr
> --principal=SERVICE/private.domain.tld
> --certificate-out=signingrequest.csr.signed
> Issuing CA: ipa
>   Certificate: -censored-
>   Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
>   Subject DNS name: private.domain.tld, site1.domain.tld
>   Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
>   Not Before: Thu Oct 19 10:27:13 2017 UTC
>   Not After: Sun Oct 20 10:27:13 2019 UTC
>   Serial number: 35
>   Serial number (hex): 0x23
>
> # openssl x509 -in signingrequest.csr.signed -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 23 (0x17)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
> Validity
> Not Before: Thu Oct 19 10:27:13 2017 UTC
> Not After : Sun Oct

[Freeipa-users] Unable to sign CSR with multiple CN in subject

2017-10-19 Thread Joel Kåberg via FreeIPA-users 
Hello

I'm trying to sign an CSR which has multiple CN in the certificate subject. 
When the certificate is signed it only contains one CN in the subject (should 
be 2, site1.domain.tld and site2.domain.tld), and furthermore only two 
alternative names (should be 3 – missing the site2.domain.tld), see below for 
output example.

Does anyone why this is happening, and if there is a way around it? The 
documentation on this seems a bit sparse (or hard to find?), so I'd really 
appreciate some input.

The private.domain.tld is an "virtual" host in Freeipa which has an service 
with 3 principal alias tied to it 
(SERVICE/private.domain@realm.secret.tld,
 
SERVICE/site1.domain@realm.secret.tld,
 
SERVICE/site2.domain@realm.secret.tld
 )
---
# openssl req -in signingrequest -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: emailAddress=sec...@secret.tld, C=US, O=Secret Orginization, 
CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
-censored-
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:private.secret.tld
Signature Algorithm: sha1WithRSAEncryption
-censored-

# ipa cert-request signingrequest.csr --principal=SERVICE/private.domain.tld 
--certificate-out=signingrequest.csr.signed
Issuing CA: ipa
  Certificate: -censored-
  Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
  Subject DNS name: private.domain.tld, site1.domain.tld
  Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
  Not Before: Thu Oct 19 10:27:13 2017 UTC
  Not After: Sun Oct 20 10:27:13 2019 UTC
  Serial number: 35
  Serial number (hex): 0x23

# openssl x509 -in signingrequest.csr.signed -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 23 (0x17)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
Validity
Not Before: Thu Oct 19 10:27:13 2017 UTC
Not After : Sun Oct 20 10:27:13 2019 UTC
Subject: O=REALM.SECRET.TLD, CN=site1.secret.tld
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
-censored-
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:-censored-

Authority Information Access:
OCSP - URI:http://ipa-ca.secret.tld/ca/ocsp

X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data 
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:

Full Name:
  URI:http://ipa-ca.sensor.secret.tld/ipa/crl/MasterCRL.bin
CRL Issuer:
  DirName: O = ipaca, CN = Certificate Authority

X509v3 Subject Key Identifier:
-censored-
X509v3 Subject Alternative Name:
DNS:private.secret.tld, DNS:site1.secret.tld
Signature Algorithm: sha256WithRSAEncryption
 -censored-
---
Vennlig hilsen

Joel Kåberg
Sikkerhetsanalytiker, HelseCERT
norskhelsenett
 +47 7356 5710 |  +47 979 54 918
www.nhn.no


Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil 
skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. 
Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din 
PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter 
at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, 
konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, tapes, 
ødelegges, bli forsinket, være ufull­stendig eller inneholde skadelig kode. 
E-posten ble sjekket for skadelig kode før utsendelse fra Norsk Helsenett SF.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org