Hi Team,
We have found that the Pacemaker certificate is not generated with
SubjectAlternativeName.
Please find the general guidelines :
In case client certificates are required, verification of the client identity
SHOULD use the first matching subjectAltName field of the client certificate to
be compared with an authorization identity present in a local or central AA
database.
To mitigate the Man-in-the-Middle risk, the server identity verification is
RECOMMENDED to be done as well. A client can accept several server certificates
in certificate validation issued by the same trusted CA.
After certificate chain validation, the TLS client MUST check the identity of
the server with a configured reference identity (e.g., a hostname). The clients
MUST support checks using the subjectAltName field with type dNSName. If the
certificate contains multiple subjectAltNamevalues then a match with any one of
the fields is considered acceptable.
Current Certificate details:
#keytool -printcert -file /var/lib/pcsd/pcsd.crt
Owner: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
Issuer: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
Serial number: 1703482bc5b
Valid from: Tue Feb 11 14:49:08 CET 2020 until: Fri Feb 08 14:49:08 CET 2030
Certificate fingerprints:
MD5: 6E:C9:F8:E2:B9:F7:F6:65:53:B4:BD:B9:18:71:B9:78
SHA1: 9E:7C:22:DA:61:AA:86:DB:D1:74:D4:AC:47:CA:DC:06:6A:21:C2:F0
SHA256:
1D:8D:88:55:70:FE:01:BB:DB:5C:BD:E7:FF:79:62:02:CB:64:97:A7:16:A4:29:49:F1:94:8E:2F:7B:FC:D4:B5
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Sample certificate with SubjectedAltName details:
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: XXX
DNSName: XXX]
Thanks and Regards,
S Sathish S
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
