lemur icon indicating copy to clipboard operation
lemur copied to clipboard

Published 20 hours ago verified publisher icon Netflix

Lemur not adding OCSP and CRL url's to issued certificates

Open netcom-rs opened this issue 3 years ago • 3 comments

Hi guys.

Does anyone have an issue with this? Plugin used is CFSSL. Everything else is fine. Intermediate certificate does have OCSP and CRL url's in attributes.

It seems like lemur is not sending correct profile to cfssl. If i am correct, it should send profile selected in gui.

config.json is:

{
  "signing": {
    "default": {
         "ocsp_url": "http://ocsp.domain.com:8889",
         "crl_url": "https://crl.ddomain.com/crl",
         "expiry": "8760h",
         "usages": [
             "signing",
             "key encipherment",
             "client auth"
         ]
    },
    "profiles": {
      "intermediate": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment",
            "cert sign",
            "crl sign",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h",
        "ca_constraint": {
            "is_ca": true,
            "max_path_len": 0,
            "max_path_len_zero": true
        }
      },
      "peer": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment",
            "client auth",
            "server auth"
        ],
        "expiry": "8760h"
      },
      "ocsp": {
        "usages": [
          "digital signature",
          "ocsp signing"
        ],
        "expiry": "8760h"
      },
      "server": {
        "usages": [
          "signing",
          "digital signature",
          "key encipherment",
          "server auth"
        ],
        "expiry": "8760h"
      },
      "client": {
        "usages": [
          "signing",
          "digital signature",
          "key encipherment",
          "client auth"
        ],
        "expiry": "8760h"
     }
    }
  }
}

netcom-rs avatar Sep 12 '21 16:09 netcom-rs

Hello people of github :) anybody home? :))))))

netcom-rs avatar Sep 14 '21 17:09 netcom-rs

Hi @netcom-rs,

CFSSL plugin is a community contribution, which I am not familiar with.

Glancing at the code, looks like the certificate request data mostly consists of the CSR. You might need to add additional metadata to indicate OCSP or CRL, or the algorithms to be used, similar to how the DigiCert request is being constructed.

Also often, you can configure your profile with the CA, and just send the profile_name in your request, similar to here

Happy to review a PR, however, we don't have the option to test it.

hosseinsh avatar Sep 17 '21 16:09 hosseinsh

@hosseinsh I agree with what you said.

Csr is constructed in lemur by selecting either predefined profile or manually ticking x509 extensions. After that, csr is sent to cfssl for signing. The certificate then comes back from cfssl into lemur database. Either the csr is not constructed well on lemur side(with wrong x509 attributes) or the cfssl is not properly signing.

The question is, how cfssl knows which profile to select? Or does it use default signing profile?

netcom-rs avatar Sep 17 '21 18:09 netcom-rs