Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the CA cert's SAN extensions not include DNSName. #1276

Open
senserhit opened this issue Mar 10, 2023 · 5 comments
Open

the CA cert's SAN extensions not include DNSName. #1276

senserhit opened this issue Mar 10, 2023 · 5 comments

Comments

@senserhit
Copy link

I use cfssl to sign a intermedia-ca. the intermediate-ca.json has "hosts" config:

{
  "CN": "Custom Widgets Intermediate CA",
  "hosts": [
    "host1.custom-widgets.com",
    "localhost",
    "192.168.1.3"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C":  "GB",
      "L":  "London",
      "O":  "Custom Widgets",
      "OU": "Custom Widgets Intermediate CA",
      "ST": "England"
    }
  ],
  "ca": {
    "expiry": "42720h"
  }
}

The signed intermedia-ca cert only include the ip address "192.168.1.3", But the dnsname ""host1.custom-widgets.com" and "localhost" not include。

I used the ca-config.json:

{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "intermediate_ca": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment",
            "cert sign",
            "crl sign",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h",
        "ca_constraint": {
            "is_ca": true,
            "max_path_len": 0, 
            "max_path_len_zero": true
        }
      }
    }
  }
}

I use these command

cfssl gencert -initca intermediate-ca.json | cfssljson -bare intermediate_ca
cfssl sign -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca

I found the function FillTemplate in the source signer/signer.go has these code

     if template.IsCA {
		template.MaxPathLen = profile.CAConstraint.MaxPathLen
		if template.MaxPathLen == 0 {
			template.MaxPathLenZero = profile.CAConstraint.MaxPathLenZero
		}
		template.DNSNames = nil
		template.EmailAddresses = nil
		template.URIs = nil
	}

the DNSNames set to nil.
so is this a mistake or am I missing something? Thank you!
@shellwhale
Copy link

shellwhale commented Apr 16, 2023
edited
Loading

Similar issue here, I can't find the X509v3 Subject Alternative Name section in my certificate

ca-config.json

{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "87600h",
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "cert sign"
                ]
            }
        }
    }
}

ca-csr.json

{
    "CN": "TEST",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "SAN": [
        "SAN_TEST1",
        "SAN_TEST2"
    ]   , 
    "hosts": [
        "SAN_TEST1",
        "SAN_TEST2"
    ]    
}

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
openssl x509 -in ca.crt -text -noout

output

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            64:4f:94:20:de:60:19:3c:4b:50:11:5a:65:9c:0c:a0:9f:02:57:9c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = TEST
        Validity
            Not Before: Apr 16 15:49:00 2023 GMT
            Not After : Apr 14 15:49:00 2028 GMT
        Subject: CN = TEST
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9f:fb:06:87:83:0a:75:a9:4a:1d:f9:2c:e8:29:
                    d9:76:06:a9:c5:ce:b1:47:3b:c4:76:62:60:03:79:
                    5f:44:51:b6:dc:36:27:f2:c0:a5:c1:3e:30:6c:8c:
                    79:03:a4:e1:14:4d:0d:e3:4e:d8:08:b8:f1:73:47:
                    f6:85:aa:19:3e:a6:74:d7:c8:48:b6:70:46:7a:82:
                    3c:67:5a:2f:9f:67:52:2e:d6:86:36:dd:4f:4a:f3:
                    12:55:77:ee:e1:85:66:8b:d0:f4:6e:71:e0:fe:5e:
                    f8:85:ad:3d:f4:92:15:6d:56:f7:af:c1:4f:83:46:
                    6d:70:4e:f2:14:83:5a:b0:a3:bf:a4:2a:04:53:8b:
                    c8:f0:b2:c0:7f:a1:00:3b:c7:da:6b:72:89:a6:b2:
                    7b:49:1f:ee:ea:41:1d:d3:93:fd:fb:b2:8e:7d:5c:
                    20:0e:7d:d5:bb:dc:98:05:be:c2:19:67:3e:64:d4:
                    ed:0a:94:df:96:7a:f6:b2:1e:12:53:b7:22:40:ea:
                    bf:a6:4c:bf:b4:e6:f7:ee:a5:7c:39:78:59:65:e0:
                    55:23:9a:be:18:19:bf:32:85:46:8e:e4:3c:27:44:
                    e7:5c:38:b7:0f:19:de:f6:ec:94:4c:1f:42:b2:93:
                    2e:c7:79:23:f9:1b:27:73:72:a4:68:d4:17:a5:1e:
                    b5:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                28:60:02:83:B1:6C:A0:1C:BE:11:FD:68:51:D5:77:CC:37:75:87:71
                
                
                
                
            --------------------
            I'm expecting 
            
            X509v3 Subject Alternative Name: 
                DNS:SAN_TEST1
                DNS:SAN_TEST2
                
            but nothing is here
            ---------------------
              
              
              
              
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        05:fd:d9:42:a8:7f:70:39:c4:b8:bc:b7:3b:8a:37:e5:17:4c:
        5d:a2:39:62:3b:16:e0:4f:3b:95:43:06:5e:74:7b:85:90:da:
        d2:fc:cc:7a:a6:bb:e4:ab:6b:40:4a:43:51:f0:04:fb:24:38:
        a8:a7:46:eb:6a:f3:ef:f0:58:d5:0d:e4:8d:38:7a:2e:f8:41:
        a8:bc:99:9f:e0:c7:74:91:c0:ff:0d:11:07:0c:82:34:65:e7:
        4b:92:12:fe:24:0e:cd:28:9c:49:7c:22:6f:e2:ea:33:8d:12:
        a5:76:65:97:54:7d:30:68:bc:c6:eb:f4:f9:68:4a:ec:bb:39:
        33:93:3c:ae:1f:f9:35:cc:2b:ac:ca:68:8e:56:79:b8:9c:f3:
        3b:b2:da:49:cd:79:8a:08:63:17:24:9c:fe:bc:f6:1d:8a:32:
        fc:fa:50:4f:fc:b8:97:eb:81:49:82:7f:f9:1a:cd:d9:2d:9d:
        72:b5:22:9d:af:2c:81:86:55:bf:4b:1e:f9:be:3e:26:43:0e:
        4a:00:af:f9:14:1b:21:f7:03:7f:d8:7c:e7:68:ec:06:e2:18:
        ec:e8:d7:74:17:3c:0f:ac:2e:5d:3a:e5:85:95:54:ee:37:8a:
        33:8b:e9:84:9b:26:ac:f9:97:0a:68:b6:3e:a3:63:27:46:77:
        f7:02:c1:9a

@Smana
Copy link

Smana commented Jan 5, 2024

I got exactly the same issue, any updates please?

@shellwhale
Copy link

shellwhale commented Jan 6, 2024
edited
Loading

I got exactly the same issue, any updates please?

I can't quite remember if using certigo allowed me to see this, you can try it out @Smana

@Smana
Copy link

Smana commented Jan 7, 2024

Hi @shellwhale , thank you for your answer but I managed to do what I want with openssl here

@sirkev
Copy link

sirkev commented Jul 21, 2024

wonderful guide for setting up vault with tls, its been quite a nightmare trying to get those certificates thanks @Smana

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@senserhit @Smana @shellwhale @sirkev