Issue #9308: othername:<unsupported> in SAN extension - freeipa

freeipa

#9308 othername:<unsupported> in SAN extension

Closed: invalid a year ago by abbra. Opened a year ago by ogonzales.

Goal
To generate ssl certificates with SAN DNS and IPs for hosts (not users) using certmonger

Issue
SSl certificate is generated with the requested SAN DNS and IPs and another type name "othername:<unsupported>" twice.

what I tried
I changed contraints in the certificate profile as follow:

policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.11.default.name=Copy Common Name to Subject

and I also tried with

policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User supplied extension in CSR
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17

Both of them did not work.

Here is the cert-request command I'm using:

ipa-getcert request -g 4096 -k /data/client.key -f /data/client.pem -N "cn=client.ipa.test" -K host/client.ipa.test -I my_cert_profile -D device -D machine -r

The SAN values must be read from the csr and not the certificate profile. That's why I didn't manually entered the desired DNS values in the certificate params: .params.subjAltExtType, params.subjAltExtGNEnable and params.subjAltExtPattern

I decided to use certmonger because it ouputs the pem and key files. I'm trying to avoid certutil or openssl because certmonger is the easiest.

IPA version: VERSION: 4.9.10, API_VERSION: 2.248
Docker container image: freeipa-server:centos-8-stream

abbra commented a year ago

This issue tracker is for issues in FreeIPA, not for resolving administrative issues in your deployments. Please post your questions to freeipa-users@ mailing list instead.

However, the 'issue' you describe is not an issue at all. At worst, it is misunderstanding of an output you get. OpenSSL command-line tool does not understand certain SAN types and thus prints them with <unsupported> marker.

If you'd use gnutls-utils' certtool utility, you'll see that SAN entry without any issue:

# certtool -i --infile /etc/pki/tls/certs/some-host.crt|grep -A3 'Subject Alternative Name'
        Subject Alternative Name (not critical):
            DNSname: some.host.name
            User Principal Name: host/some.host.name@EXAMPLE.TEST
            KRB5Principal: host/some.host.name@EXAMPLE.TEST

Metadata Update from @abbra:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

a year ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

Attachments 1

Capture.PNG

Attached a year ago View Comment

freeipa

Source Code

#9308 othername:<unsupported> in SAN extension Closed: invalid a year ago by abbra. Opened a year ago by ogonzales.

Metadata

Attachments 1

#9308 othername:<unsupported> in SAN extension

Closed: invalid a year ago by abbra. Opened a year ago by ogonzales.