Re: [PLUG] openssl and specifying subjectAltName

brent timothy saner via plug on 5 Feb 2020 10:33:07 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] openssl and specifying subjectAltName

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] openssl and specifying subjectAltName
Date: Wed, 5 Feb 2020 13:32:48 -0500
Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=AbPGRl/4iOiIkvLGhodWcFy1uyrmKJAZEBOY87maBNU=; b=SFnbiS4m8RN/nUzfa0HFF2UHxVkTerOyrc5o/8E4ur8yMtQnGhr/3cHYEu98hcatcj iW0f23MDsV98MXWkmJrUHeSznfVDWMiVWz6XirtlCfwDYc81Ack/VnNAQ3xiUHTRBmV5 0Vv6MdS2/w2PDxreMjbIXp/RG9yeALWEt5lKaTTBeDtjcJpvQM1fc0PLQ9XE2wXY/f+j Ef8HhQAL3bIEUN9a3YNxwD4GeRcWFmfxGdY77u5rxfaBaCEG5cew51gbFLCmF63ZVa9W c0fZ12HrqZ7k9wsW7yldZ7a2k1VU2LbA7LGWL1VSijpXQNJYTlRCXwqhtzg12PbOdzNk eitg==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2

On 2/5/20 12:48, Michael Leone wrote:
> 
> 
> We *are* the CA. These are internal certs, signed by our internal Linux CA.

When I say "the CA", I'm operating under the assumption that you control
both the CA and requester(s). But either way, it wouldn't matter; I'm
speaking about general X.509 structure here.

> 
>     But long story short, yes, 
> 
> 
> FYI, you could have just started with this. :)

I did.

"> Is that doable? I haven't seen how ...

nope; you haven't seen it because it isn't doable. OpenSSL expects a
static environment."

"The openssl.cnf syntax has a .include directive[0], but you're still
going to be manually editing a config if you want a different set of SANs."

If you don't want to manually edit for each request, assuming you still
want to add the SANs on the CA side, either you need to use some
programmatic method of generating CSRs, or use something that will
generate the CSRs for you like Vault.

If you include the SANs in the CSR itself instead, each requester just
needs its own static configuration of CN/SANs.

> 
>     those SANs need to be present in the
>     openssl.cnf if you're using openssl in some form or another, either via
>     an .include or what have you - as I originally stated.
> 
>     But the SANs should really be present in the CSR itself and approved by
>     the CA, not added by the CA.
> 
> 
> "Should be", yes. In really, not always.
> 

If you control the CSR generation, there's no reason why it can't be in
the CSR as per best-practices based on the information you've given.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] openssl and specifying subjectAltName
  - From: Michel van der List via plug <plug@lists.phillylinux.org>

References:
- [PLUG] openssl and specifying subjectAltName
  - From: Michael Leone via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: Michael Leone via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: Michael Leone via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] openssl and specifying subjectAltName
Next by Date: Re: [PLUG] MS strategy and linux
Previous by thread: Re: [PLUG] openssl and specifying subjectAltName
Next by thread: Re: [PLUG] openssl and specifying subjectAltName
Index(es):
- Date
- Thread