#7476 [RFE] cacert-manage-renew: sanity check Subject DN attribute encodings
Opened 6 years ago by ftweedal. Modified 5 years ago

Request for enhancement

When the user is providing an externally-signed cert (i.e. renewing
an externally-signed CA or switching from self-signed to
externally-signed) we should check that the Subject DN attribute encodings
are the same on the old and new certificates.

For the external -> self-signed case, because we call Dogtag to
issue the cert, all we can do is generate a CSR with the same
attribute encodings (this we do) and hope that Dogtag respects them
(this is the bug that was fixed in RHEL 7.5). But we can check the
new certificate post-issuance, and abort at that stage if the
encodings differ (although such a situation is itself a BUG, but proceeding
with the new attribute encodings could cause more subtle, harder to
solve problems than a failure to renew because of the mismatch).

See https://frasertweedale.github.io/blog-redhat/posts/2018-03-15-x509-dn-attribute-encoding.html for an explanation of why same subject DN with different attribute
encodings is a problem.


Metadata Update from @fbarreto:
- Issue priority set to: normal

5 years ago

Login to comment on this ticket.

Metadata