cfssl
cfssl copied to clipboard
cloudflare
the CA cert's SAN extensions not include DNSName.
I use cfssl to sign a intermedia-ca. the intermediate-ca.json has "hosts" config:
{
"CN": "Custom Widgets Intermediate CA",
"hosts": [
"host1.custom-widgets.com",
"localhost",
"192.168.1.3"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "GB",
"L": "London",
"O": "Custom Widgets",
"OU": "Custom Widgets Intermediate CA",
"ST": "England"
}
],
"ca": {
"expiry": "42720h"
}
}
The signed intermedia-ca cert only include the ip address "192.168.1.3", But the dnsname ""host1.custom-widgets.com" and "localhost" not include。
I used the ca-config.json:
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate_ca": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
"server auth",
"client auth"
],
"expiry": "8760h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
}
}
}
}
}
I use these command
cfssl gencert -initca intermediate-ca.json | cfssljson -bare intermediate_ca
cfssl sign -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca
I found the function FillTemplate in the source signer/signer.go has these code
if template.IsCA {
template.MaxPathLen = profile.CAConstraint.MaxPathLen
if template.MaxPathLen == 0 {
template.MaxPathLenZero = profile.CAConstraint.MaxPathLenZero
}
template.DNSNames = nil
template.EmailAddresses = nil
template.URIs = nil
}
the DNSNames set to nil. so is this a mistake or am I missing something? Thank you!
Similar issue here, I can't find the X509v3 Subject Alternative Name section in my certificate
ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"digital signature",
"key encipherment",
"cert sign"
]
}
}
}
}
ca-csr.json
{
"CN": "TEST",
"key": {
"algo": "rsa",
"size": 2048
},
"SAN": [
"SAN_TEST1",
"SAN_TEST2"
] ,
"hosts": [
"SAN_TEST1",
"SAN_TEST2"
]
}
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
openssl x509 -in ca.crt -text -noout
output
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:4f:94:20:de:60:19:3c:4b:50:11:5a:65:9c:0c:a0:9f:02:57:9c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TEST
Validity
Not Before: Apr 16 15:49:00 2023 GMT
Not After : Apr 14 15:49:00 2028 GMT
Subject: CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9f:fb:06:87:83:0a:75:a9:4a:1d:f9:2c:e8:29:
d9:76:06:a9:c5:ce:b1:47:3b:c4:76:62:60:03:79:
5f:44:51:b6:dc:36:27:f2:c0:a5:c1:3e:30:6c:8c:
79:03:a4:e1:14:4d:0d:e3:4e:d8:08:b8:f1:73:47:
f6:85:aa:19:3e:a6:74:d7:c8:48:b6:70:46:7a:82:
3c:67:5a:2f:9f:67:52:2e:d6:86:36:dd:4f:4a:f3:
12:55:77:ee:e1:85:66:8b:d0:f4:6e:71:e0:fe:5e:
f8:85:ad:3d:f4:92:15:6d:56:f7:af:c1:4f:83:46:
6d:70:4e:f2:14:83:5a:b0:a3:bf:a4:2a:04:53:8b:
c8:f0:b2:c0:7f:a1:00:3b:c7:da:6b:72:89:a6:b2:
7b:49:1f:ee:ea:41:1d:d3:93:fd:fb:b2:8e:7d:5c:
20:0e:7d:d5:bb:dc:98:05:be:c2:19:67:3e:64:d4:
ed:0a:94:df:96:7a:f6:b2:1e:12:53:b7:22:40:ea:
bf:a6:4c:bf:b4:e6:f7:ee:a5:7c:39:78:59:65:e0:
55:23:9a:be:18:19:bf:32:85:46:8e:e4:3c:27:44:
e7:5c:38:b7:0f:19:de:f6:ec:94:4c:1f:42:b2:93:
2e:c7:79:23:f9:1b:27:73:72:a4:68:d4:17:a5:1e:
b5:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
28:60:02:83:B1:6C:A0:1C:BE:11:FD:68:51:D5:77:CC:37:75:87:71
--------------------
I'm expecting
X509v3 Subject Alternative Name:
DNS:SAN_TEST1
DNS:SAN_TEST2
but nothing is here
---------------------
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
05:fd:d9:42:a8:7f:70:39:c4:b8:bc:b7:3b:8a:37:e5:17:4c:
5d:a2:39:62:3b:16:e0:4f:3b:95:43:06:5e:74:7b:85:90:da:
d2:fc:cc:7a:a6:bb:e4:ab:6b:40:4a:43:51:f0:04:fb:24:38:
a8:a7:46:eb:6a:f3:ef:f0:58:d5:0d:e4:8d:38:7a:2e:f8:41:
a8:bc:99:9f:e0:c7:74:91:c0:ff:0d:11:07:0c:82:34:65:e7:
4b:92:12:fe:24:0e:cd:28:9c:49:7c:22:6f:e2:ea:33:8d:12:
a5:76:65:97:54:7d:30:68:bc:c6:eb:f4:f9:68:4a:ec:bb:39:
33:93:3c:ae:1f:f9:35:cc:2b:ac:ca:68:8e:56:79:b8:9c:f3:
3b:b2:da:49:cd:79:8a:08:63:17:24:9c:fe:bc:f6:1d:8a:32:
fc:fa:50:4f:fc:b8:97:eb:81:49:82:7f:f9:1a:cd:d9:2d:9d:
72:b5:22:9d:af:2c:81:86:55:bf:4b:1e:f9:be:3e:26:43:0e:
4a:00:af:f9:14:1b:21:f7:03:7f:d8:7c:e7:68:ec:06:e2:18:
ec:e8:d7:74:17:3c:0f:ac:2e:5d:3a:e5:85:95:54:ee:37:8a:
33:8b:e9:84:9b:26:ac:f9:97:0a:68:b6:3e:a3:63:27:46:77:
f7:02:c1:9a
I got exactly the same issue, any updates please?
I can't quite remember if using certigo allowed me to see this, you can try it out @Smana
wonderful guide for setting up vault with tls, its been quite a nightmare trying to get those certificates thanks @Smana
