Re: [ClusterLabs] pacemaker certificate is not generated with SubjectAlternativeName

Mon, 02 Mar 2020 00:26:18 -0800 

Dne 28. 02. 20 v 8:06 S Sathish S napsal(a):

Hi Team,
We have found that the Pacemaker certificate is not generated with SubjectAlternativeName.
You are right, SubjectAlternativeName is not specified. Minor correction though, it's pcsd certificate, not pacemaker. 


Please find the general guidelines :
In case/client certificates are required, verification of the client identity SHOULD use the first matching subjectAltName field of the client certificate to be compared with an authorization identity present in a local or central AA database. / 

Client certificates are not used with pcsd.
/To mitigate the Man-in-the-Middle risk, the server identity verification is RECOMMENDED to be done as well. A client can accept several server certificates in certificate validation issued by the same trusted CA./ 
//
/After certificate chain validation, the TLS client MUST check the identity of the server with a configured reference identity (e.g., a hostname). The clients MUST support checks using the subjectAltName field with type dNSName. If the certificate contains multiple subjectAltNamevalues then a match with any one of the fields is considered acceptable. /
I don't see anything here that would say subjectAltName is required to be present in certificates. Does the fact subjectAltName is not defined causing you any specific problems?
In any case, you are free and recommended to replace the default pcsd certificate with your own. You can use 'pcs pcsd certkey' and 'pcs pcsd sync-certificates' to do so. 


Regards,
Tomas


Current Certificate details:

#keytool -printcert -file /var/lib/pcsd/pcsd.crt
Owner: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
Issuer: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
Serial number: 1703482bc5b
Valid from: Tue Feb 11 14:49:08 CET 2020 until: Fri Feb 08 14:49:08 CET 2030
Certificate fingerprints:
          MD5:  6E:C9:F8:E2:B9:F7:F6:65:53:B4:BD:B9:18:71:B9:78
          SHA1: 9E:7C:22:DA:61:AA:86:DB:D1:74:D4:AC:47:CA:DC:06:6A:21:C2:F0
         SHA256: 1D:8D:88:55:70:FE:01:BB:DB:5C:BD:E7:FF:79:62:02:CB:64:97:A7:16:A4:29:49:F1:94:8E:2F:7B:FC:D4:B5 
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

*Sample  certificate with SubjectedAltName details:*

#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
   DNSName: XXX
   DNSName: XXX]

Thanks and Regards,

S Sathish S


_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/



_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Reply via email to