Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAN extensions not added to certificates #5008

Open
Errandil85 opened this issue Mar 20, 2025 · 4 comments
Open

SAN extensions not added to certificates #5008

Errandil85 opened this issue Mar 20, 2025 · 4 comments

Comments

@Errandil85
Copy link

Hi all,

I am following documentation:
https://github.com/dogtagpki/pki/wiki/Generating-Certificate-Request-with-OpenSSL#generating-certificate-request-with-san-extension

It looks to me, if I approve the request with the caServerCert profile, it does not add the SAN extensions.

This in the request.

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C=NL, ST=LAB, L=Lab, O=LAB, OU=IT, CN=labuxca01.idm.lab.local, [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dc:e4:74:99:1a:25:89:29:c1:79:5b:34:71:83:
                    99:b2:08:07:4c:0c:5b:e2:e2:20:b5:46:65:36:fb:
                    10:c0:78:71:f4:ef:12:aa:cc:0a:c2:f0:7d:59:37:
                    da:ee:2c:ec:8a:9d:74:fa:1a:89:6f:8c:59:1f:84:
                    a7:11:1f:f6:69:aa:64:e8:f6:57:52:30:79:08:2a:
                    20:fc:e0:f8:b3:b3:65:56:c5:ff:66:5d:12:68:ad:
                    70:99:7b:94:df:ab:7d:a8:c5:7e:74:06:0e:7d:7b:
                    3f:09:89:55:db:d8:4e:79:a5:84:b5:bd:be:52:f4:
                    e9:18:1b:34:5d:6f:ef:8c:fb:7f:e2:f5:b7:44:2b:
                    85:e4:38:77:fb:1f:57:7d:c2:e5:26:ee:20:ad:fb:
                    4d:b6:06:9f:e8:7f:9f:04:38:1f:75:4d:26:6e:25:
                    e7:88:f9:0a:e8:8a:78:2f:1e:a6:0e:ed:9f:da:5f:
                    3f:17:5a:2c:3b:e8:78:e0:7a:c8:1a:fa:b3:3e:6a:
                    14:ff:5f:4a:f1:65:ce:57:bc:83:98:e8:ef:d2:f8:
                    0f:c6:0e:a2:f6:5d:0a:36:44:fa:ba:f7:2e:35:30:
                    1e:ad:71:82:1f:16:cc:6e:f1:95:d3:b6:58:4a:5c:
                    13:55:aa:81:06:26:b2:72:84:8f:43:13:75:ea:4a:
                    1e:31
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: 
                    DNS:labuxca01.idm.lab.local, DNS:lab.local, DNS:www.lab.local
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9e:e8:63:cc:be:0b:a3:b6:da:69:ed:76:90:2d:a7:e6:65:7d:
        9a:d0:e9:c2:66:b6:d4:b9:1d:6f:d0:be:6b:94:6f:9c:95:03:
        c0:75:74:57:a4:88:25:fc:dc:4d:56:d8:af:ef:d5:e0:b2:a9:
        97:93:a7:fd:9a:9b:88:18:a4:4c:85:75:31:2b:d6:4f:63:aa:
        8b:6f:b7:74:e5:3c:42:24:00:cb:a8:b7:0a:40:31:e4:21:f7:
        38:d4:4c:47:4a:a0:0e:bc:cf:20:12:29:45:d5:8f:ce:64:54:
        82:f3:11:1c:9a:98:05:27:43:24:a1:ed:a5:43:a0:a3:16:de:
        f3:8f:84:e3:3e:75:af:d4:a4:5d:27:59:c4:73:5e:be:84:0c:
        5e:4b:b9:10:06:e8:52:43:96:02:6c:5b:00:58:c4:75:da:a7:
        43:e6:b5:40:f5:55:95:74:ef:f1:d6:5e:e2:3b:21:f1:f0:16:
        5c:00:65:2b:f0:06:d5:16:11:fb:70:40:55:a7:d8:8f:e7:7b:
        fd:a8:af:09:47:ab:9b:53:54:57:53:15:09:d7:b6:90:c2:8d:
        8c:67:d3:26:63:a4:f7:66:8a:3e:73:a4:79:fb:50:a9:c0:d0:
        6c:f6:e9:3f:44:59:39:ff:1f:9e:8e:02:70:b5:a3:b6:03:3c:
        0d:fb:3f:a9

This is the output certificate:

Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0xA25E4C5D43043E1A1B55C6109DB97F94
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=LAB_CA2
            Validity: 
                Not Before: Thursday, March 20, 2025, 10:44:40 AM Central European Standard Time Europe/Amsterdam
                Not  After: Wednesday, March 10, 2027, 10:44:40 AM Central European Standard Time Europe/Amsterdam
            Subject: [email protected], CN=labuxca01.idm.lab.local, OU=IT, O=LAB, L=Lab, ST=LAB, C=NL
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        DC:E4:74:99:1A:25:89:29:C1:79:5B:34:71:83:99:B2:
                        08:07:4C:0C:5B:E2:E2:20:B5:46:65:36:FB:10:C0:78:
                        71:F4:EF:12:AA:CC:0A:C2:F0:7D:59:37:DA:EE:2C:EC:
                        8A:9D:74:FA:1A:89:6F:8C:59:1F:84:A7:11:1F:F6:69:
                        AA:64:E8:F6:57:52:30:79:08:2A:20:FC:E0:F8:B3:B3:
                        65:56:C5:FF:66:5D:12:68:AD:70:99:7B:94:DF:AB:7D:
                        A8:C5:7E:74:06:0E:7D:7B:3F:09:89:55:DB:D8:4E:79:
                        A5:84:B5:BD:BE:52:F4:E9:18:1B:34:5D:6F:EF:8C:FB:
                        7F:E2:F5:B7:44:2B:85:E4:38:77:FB:1F:57:7D:C2:E5:
                        26:EE:20:AD:FB:4D:B6:06:9F:E8:7F:9F:04:38:1F:75:
                        4D:26:6E:25:E7:88:F9:0A:E8:8A:78:2F:1E:A6:0E:ED:
                        9F:DA:5F:3F:17:5A:2C:3B:E8:78:E0:7A:C8:1A:FA:B3:
                        3E:6A:14:FF:5F:4A:F1:65:CE:57:BC:83:98:E8:EF:D2:
                        F8:0F:C6:0E:A2:F6:5D:0A:36:44:FA:BA:F7:2E:35:30:
                        1E:AD:71:82:1F:16:CC:6E:F1:95:D3:B6:58:4A:5C:13:
                        55:AA:81:06:26:B2:72:84:8F:43:13:75:EA:4A:1E:31
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        46:18:C9:BF:B0:05:6D:99:33:34:20:86:65:D8:D8:CD:
                        3F:A3:38:40
                Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: no 
                    Value: 
                        DNSName: labuxca01.idm.lab.local
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://labuxca01.idm.lab.local:8080/ca/ocsp
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Key Encipherment 
                        Data Encipherment 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.1
                        1.3.6.1.5.5.7.3.2
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                6A:BB:B4:E3:50:A4:11:AE:B3:E4:78:A8:3F:BF:C3:94:
                7B:56:52:F8:A7:A8:4A:A0:E2:C3:5A:35:4D:37:E2:93:
                A2:BB:68:11:58:0A:38:B0:D3:F5:D1:0F:21:2F:0A:64:
                07:DE:D8:C8:5D:DB:11:9E:6E:1C:1E:8B:74:8F:94:51:
                5C:85:5C:CC:DB:7E:64:CC:E6:5B:DA:9E:23:39:DD:E0:
                20:F3:C4:41:A6:76:DB:F1:5A:82:22:4D:E0:94:65:8C:
                94:AC:35:73:22:B5:EA:6E:F8:53:E1:E0:76:E7:60:08:
                23:0A:D4:BA:9E:C7:03:14:B3:A5:23:ED:52:20:C9:EA:
                88:C1:38:7A:CD:FB:5C:BA:F9:A0:61:E2:78:30:1A:A8:
                86:1D:71:2B:63:21:EA:C7:73:50:14:18:AD:25:AA:66:
                1F:C8:C8:A1:B2:32:53:0A:A0:96:3B:72:C3:68:DA:F5:
                1B:32:96:F0:58:AC:FA:74:3E:48:35:C3:CF:37:36:70:
                72:0A:45:D7:56:22:90:AC:99:C6:F4:E0:2C:B1:C2:10:
                6C:00:2D:DA:D6:66:A6:01:CC:9D:B3:4F:2C:9E:32:BF:
                1A:E5:2B:4B:E9:5E:55:0E:94:3B:67:C5:F0:85:ED:39:
                39:0C:F9:63:B9:E0:FA:9A:83:31:B2:1B:E5:89:96:D6:
                7E:4C:3A:85:D7:13:4B:98:BD:67:EC:6A:B0:5E:2F:23:
                C4:8C:59:CB:F4:3F:B7:0C:F9:23:B5:AF:AC:07:E4:83:
                73:1E:EB:96:2E:15:72:30:7A:EE:4E:8E:BB:32:0E:BC:
                95:52:71:B9:20:E0:E9:75:B9:3F:1E:5B:25:53:87:97:
                59:A0:11:00:23:1A:53:12:9A:45:06:65:3E:E4:DE:99:
                18:05:D1:46:34:E4:9F:D0:56:67:5F:C2:2E:F2:DF:F8:
                43:1C:6F:8A:ED:C5:F9:DA:2A:61:B3:14:BD:52:88:6C:
                2B:A7:C9:72:D2:94:CB:63:4E:12:28:5A:F9:2F:12:13
        FingerPrint
            MD2:
                21:60:98:51:17:B4:2D:22:8B:09:06:39:5A:E1:48:65
            MD5:
                4F:CA:DA:2D:F9:0B:83:0A:2A:E7:4C:FE:BB:2C:80:25
            SHA-1:
                A3:32:3A:2F:A5:AB:8A:01:C2:1B:76:D0:C2:98:98:44:
                6D:39:19:E2
            SHA-256:
                0A:F5:32:CF:9A:8A:41:AB:53:F1:86:F1:4C:E3:39:4C:
                6F:C9:8B:01:2D:DC:C2:C6:10:60:A8:8F:F2:F9:25:76
            SHA-512:
                1A:FE:53:32:52:36:38:7F:F0:5F:68:B1:AC:A6:D6:89:
                C5:5B:68:72:EC:57:BE:3E:DF:86:42:5C:8F:A1:40:E7:
                7C:57:90:F6:99:97:34:53:DA:39:93:34:24:09:74:E2:
                63:8F:6C:02:95:57:CB:EE:34:E7:28:1C:4A:3C:9A:25

Is this a bug, or am I using the wrong profile?
@fmarco76
Copy link
Member

Hi @Errandil85 ,

looking at the profile file here it seems that SAN has to match the CN for this profile.

@Errandil85
Copy link
Author

Thank you, @fmarco76
I tried changing to profile without any luck, is there a profile that I could use, or documentation on how I can build one?

@fmarco76
Copy link
Member

Not sure of the other certificate but you could find some documentation here: https://github.com/dogtagpki/pki/wiki/CA-Certificate-Profiles

@Errandil85
Copy link
Author

Errandil85 commented Mar 21, 2025
edited
Loading

Just for reference, if someone is searching for the same thing.
I have created a new profile. The only limit is that need to add the SANs (DNSName) during the approval process. It does not get read from the CSR. I will try if I can find a way to get that working.

auth.class_id=
desc=This certificate profile is for enrolling server certificates.
enable=true
enableBy=caadmin
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=caWebCert
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=.*
policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=720
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default
policyset.serverCertSet.9.default.params.subjectAltNameCritical=false
policyset.serverCertSet.9.default.params.subjectAltNameDNS_0=
policyset.serverCertSet.9.default.params.subjectAltNameNumDNS=1
policyset.serverCertSet.9.default.params.subjectAltNameNumGNs=0
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,12
visible=true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fmarco76 @Errandil85