[Freeipa-users] Re: Wildcard certificate

[Alexander Bokovoy via FreeIPA-users]

On ti, 07 kesä 2022, Bret Wortman wrote:

When I try adding it as an alt name:

# certutil -R -d . -a -g 2048 -s "cn=elastic.our.net,o=our.net" \
-8 
elastic.our.net,\*.elastic.our.net,zsece01.our.net,zsece02.our.net,zsece03.our.net
 \

elastic.our.net.csr

# ipa cert-request elastic.our.net.csr --principal host/elastic.our.net 
--profile wildcard
ipa: ERROR: The service principal for subject alt name *.elastic.spx.net in 
certificate request does not exist

I'm not sure how to add a wildcard host principal...

As stated in the Fraser's blog, you cannot do that in CSR. Instead, you
should do that in the certificate profile. You have already added CN
with a wildcard there this way, so continue with that.

Fraser writes:
--------------
When constructing the certificate, Dogtag performs a variable
substitution into a subject name string. That string contains the
literal wildcard and the period to its right, and the common name (CN)
from the CSR gets substituted in after that. The relevant line in the
profile configuration is:

policyset.serverCertSet.1.default.params.name=CN=*.$request.req_subject_name.cn$,
 o=EXAMPLE.COM

When it comes to wildcards in Subject Alternative Name DNS-IDs, it might
be possible to configure a Dogtag profile to add this in a similar way
to the above, but I do not recommend it, nor am I motivated to work out
a reliable way to do this, given that wildcard certificates are
deprecated. (By the time TLS libraries eventually remove support for
treating the subject CN as a DNS-ID, I will have little sympathy for
organisations that still haven’t moved away from wildcard certs).
--------------

This is, of course, true, but if you need to do that, there are examples
in Dogtag on how to do that. For multiple alternative SAN names:
https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/serverCert.profile.exampleWithSANpattern

This is what the example has as an item 8 in the list that accepts 4
dnsName(s) explicitly from the SANs and some other elements too:
-----------------------------------------------------------------------
list=2,4,5,6,7,8
...
8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault
8.default.name=Subject Alternative Name Extension Default
8.default.params.subjAltExtGNEnable_0=true
8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
8.default.params.subjAltExtType_0=DNSName
8.default.params.subjAltExtGNEnable_1=true
8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
8.default.params.subjAltExtType_1=DNSName
8.default.params.subjAltExtGNEnable_2=true
8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
8.default.params.subjAltExtType_2=DNSName
8.default.params.subjAltExtGNEnable_3=true
8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
8.default.params.subjAltExtType_3=DNSName
8.default.params.subjAltExtType_4=OtherName
8.default.params.subjAltExtSource_4=UUID4
8.default.params.subjAltExtPattern_4=(IA5String)1.2.3.4,$server.source$
8.default.params.subjAltExtGNEnable_4=true
8.default.params.subjAltExtType_5=DNSName
8.default.params.subjAltExtPattern_5=myhost.example.com
8.default.params.subjAltExtGNEnable_5=true
8.default.params.subjAltNameExtCritical=false
8.default.params.subjAltNameNumGNs=6
----------------------------------------------------------------------

Let's say, you'd need the widcard for *.$request.req_subject_name.cn$
and a fixed set of servers:

Subject Alt Names
 DNS Name  zsece01.our.net
 DNS Name  zsece02.our.net
 DNS Name  zsece03.our.net

That is in total 4 names, so we specify wildcard based off the request
subject name and then three explicit host names:
----------------------------------------------------------------------
8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault
8.default.name=Subject Alternative Name Extension Default
8.default.params.subjAltExtGNEnable_0=true
8.default.params.subjAltExtPattern_0=*.$request.req_subject_name.cn$
8.default.params.subjAltExtType_0=DNSName
8.default.params.subjAltExtGNEnable_1=true
8.default.params.subjAltExtPattern_1=zsece01.our.net
8.default.params.subjAltExtType_1=DNSName
8.default.params.subjAltExtGNEnable_2=true
8.default.params.subjAltExtPattern_2=zsece02.our.net
8.default.params.subjAltExtType_2=DNSName
8.default.params.subjAltExtGNEnable_3=true
8.default.params.subjAltExtPattern_3=zsece03.our.net
8.default.params.subjAltExtType_3=DNSName
8.default.params.subjAltNameExtCritical=false
8.default.params.subjAltNameNumGNs=4
----------------------------------------------------------------------

The certificate profile we'd build out of the above now ignores
CSR-passed SANs. Of course, you'd need to adjust the number (8..) to
where it would be in your own certificate profile.

There is a default approach in Dogtag, actually, that copies CN subject
to SANs as a SAN dnsName but it will fail for wildcards because it
validates that a CN is a proper hostname (which wildcard is not):

---------------------
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative 
Name
---------------------

So instead of this one (12) you'd have to use the profile snippet from
above (8).

--
 Bret Wortman
 bret.wort...@damascusgrp.com

On Tue, Jun 7, 2022, at 11:07 AM, Alexander Bokovoy wrote:

On ti, 07 kesä 2022, Bret Wortman via FreeIPA-users wrote:

I'm trying to create a wildcard certificate to use with some elasticsearch ECE 
systems and it's not working quite right yet. I found Fraser's blog at 
https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wildcard-certs.html
 and followed the directions there. After installing the cert chain on my ES 
servers, when I connect over the web I'm getting an SSL_ERROR_BAD_CERT_DOMAIN 
error, even though the cert contains:

Subject Name
 Organization  OUR.NET 201804300753
 Common Name  *.elastic.our.net

Issuer Name
 Organization  OUR.NET 201804300753
 Common Name  Certificate Authority

Validity
 Not Before  Tue, 07 Jun 2022 14:48:08 GMT
 Not After  Fri, 07 Jun 2024 14:48:08 GMT

Subject Alt Names
 DNS Name  zsece01.our.net
 DNS Name  zsece02.our.net
 DNS Name  zsece013our.net

:

I've tried including elastic.our.net as an alt name too and it didn't prevent 
the error. What am I missing?

You need to have dnsName: *.elastic.our.net in the SAN as well. Most
browsers stopped looking into CN already for CAs from the root CA list
but recently Firefox and Chrome also applied this to private CAs as
well.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure