Hi list.
Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA?
My use case is that I have CSRs generated by the users. The tool used to generate the CSR does not allow to add me to include an email subjectAltName. The problem is that private key is held on the external device, so I am not easily able to manipulate the CSR using openssl.
I already have a specific certificate profile added to IPA, used for this process. But I am not sure if it is possible to enforce adding SAN with user's email address when signing the certificate. I'd be grateful for any hints.
Best regards,
Radoslaw
Radosław Kujawa via FreeIPA-users wrote:
Hi list.
Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA?
My use case is that I have CSRs generated by the users. The tool used to generate the CSR does not allow to add me to include an email subjectAltName. The problem is that private key is held on the external device, so I am not easily able to manipulate the CSR using openssl.
I already have a specific certificate profile added to IPA, used for this process. But I am not sure if it is possible to enforce adding SAN with user's email address when signing the certificate. I'd be grateful for any hints.
How would the profile know what e-mail to add?
rob
Hi.
On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote:
Radosław Kujawa via FreeIPA-users wrote:
Hi list.
Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA?
How would the profile know what e-mail to add?
These certificates are treated by IPA as "user certificates". The CN is set to IPA user's login.
By some magic, IPA knows that such certificate should be added to LDAP object representing particular user.
I hoped it would be possible to instruct it, to fetch the email attribute from LDAP object when signing the cert (based on the CN) and put it into subjectAltName.
Best regards, Radoslaw
On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users wrote:
Hi.
On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote:
Radosław Kujawa via FreeIPA-users wrote:
Hi list.
Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA?
How would the profile know what e-mail to add?
These certificates are treated by IPA as "user certificates". The CN is set to IPA user's login.
By some magic, IPA knows that such certificate should be added to LDAP object representing particular user.
I hoped it would be possible to instruct it, to fetch the email attribute from LDAP object when signing the cert (based on the CN) and put it into subjectAltName.
Best regards, Radoslaw
A modern enterprise PKI should be able to do it. But FreeIPA cannot. It's fundamentally possible but a lot of work to achieve it. I blogged about it several years ago:
https://frasertweedale.github.io/blog-redhat/posts/2015-11-04-freeipa-pki-fu...
For now, you must get the rfc822Name into the CSR's SAN extension, somehow. What tool are you using to generate those CSRs? Perhaps we can help find a way to do it.
Cheers, Fraser
Hi.
On 10/12/20 3:05 AM, Fraser Tweedale via FreeIPA-users wrote:
On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users wrote:
On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote:
Radosław Kujawa via FreeIPA-users wrote:
Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA?
How would the profile know what e-mail to add?
These certificates are treated by IPA as "user certificates". The CN is set to IPA user's login.
By some magic, IPA knows that such certificate should be added to LDAP object representing particular user.
I hoped it would be possible to instruct it, to fetch the email attribute from LDAP object when signing the cert (based on the CN) and put it into subjectAltName.
A modern enterprise PKI should be able to do it. But FreeIPA cannot. It's fundamentally possible but a lot of work to achieve it. I blogged about it several years ago:
https://frasertweedale.github.io/blog-redhat/posts/2015-11-04-freeipa-pki-fu...
For now, you must get the rfc822Name into the CSR's SAN extension, somehow. What tool are you using to generate those CSRs? Perhaps we can help find a way to do it.
Long story short, the organization where I work have adopted Yubikeys as primary authentication method. This is working out well for us so far. Since we are already using IPA user certificates for PIV authentication, the thought appeared that we could use the same certs for S/MIME (at least Evolution appears to be able to successfully access the PIV cert on Yubikey to perform signing).
The Yubikey "provisioning" process is currently self-service. Due to small size of organization (and the fact that currently most people work from home), it would be nice if it could stay this way. All users equipped with Yubikey have CA ACL that allows them to request certs using customized caIPAuserCert profile.
Currently, from the user's perspective this is as simple as: $ yubico-piv-tool --key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem $ yubico-piv-tool -a verify -a request -s 9a -P $PIN -S "/CN=$(whoami)/" -i pub.pem -o req.pem $ ipa cert-request --profile-id=caIPAuserCert --principal $(whoami) req.pem
Then downloading the signed user certificate and running $ yubico-piv-tool --key=$KEY -a import-certificate -i cert.pem -s 9a
Note that in this setup the private key is generated on the Yubikey and never leaves the device.
The yubico-piv-tool -a request does not seem to have an option to add any kind of SAN to CSR.
I know at least theoretically it is possible to generate the private key and CSR using openssl, then sign in IPA, and import the resulting private key and certificate onto Yubikey. However, from a security perspective, I see more opportunities for the user to mess up something here.
One more doubt appears here. I obviously wouldn't want the user to sign a certificate with different email in CSR than appears in their own LDAP object...
Best regards, Radoslaw
On Mon, Oct 12, 2020 at 09:36:26AM +0200, Radoslaw Kujawa via FreeIPA-users wrote:
Hi.
On 10/12/20 3:05 AM, Fraser Tweedale via FreeIPA-users wrote:
On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users wrote:
On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote:
Radosław Kujawa via FreeIPA-users wrote:
Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA?
How would the profile know what e-mail to add?
These certificates are treated by IPA as "user certificates". The CN is set to IPA user's login.
By some magic, IPA knows that such certificate should be added to LDAP object representing particular user.
I hoped it would be possible to instruct it, to fetch the email attribute from LDAP object when signing the cert (based on the CN) and put it into subjectAltName.
A modern enterprise PKI should be able to do it. But FreeIPA cannot. It's fundamentally possible but a lot of work to achieve it. I blogged about it several years ago:
https://frasertweedale.github.io/blog-redhat/posts/2015-11-04-freeipa-pki-fu...
For now, you must get the rfc822Name into the CSR's SAN extension, somehow. What tool are you using to generate those CSRs? Perhaps we can help find a way to do it.
Long story short, the organization where I work have adopted Yubikeys as primary authentication method. This is working out well for us so far. Since we are already using IPA user certificates for PIV authentication, the thought appeared that we could use the same certs for S/MIME (at least Evolution appears to be able to successfully access the PIV cert on Yubikey to perform signing).
The Yubikey "provisioning" process is currently self-service. Due to small size of organization (and the fact that currently most people work from home), it would be nice if it could stay this way. All users equipped with Yubikey have CA ACL that allows them to request certs using customized caIPAuserCert profile.
Currently, from the user's perspective this is as simple as: $ yubico-piv-tool --key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem $ yubico-piv-tool -a verify -a request -s 9a -P $PIN -S "/CN=$(whoami)/" -i pub.pem -o req.pem $ ipa cert-request --profile-id=caIPAuserCert --principal $(whoami) req.pem
Then downloading the signed user certificate and running $ yubico-piv-tool --key=$KEY -a import-certificate -i cert.pem -s 9a
Note that in this setup the private key is generated on the Yubikey and never leaves the device.
The yubico-piv-tool -a request does not seem to have an option to add any kind of SAN to CSR.
I know at least theoretically it is possible to generate the private key and CSR using openssl, then sign in IPA, and import the resulting private key and certificate onto Yubikey. However, from a security perspective, I see more opportunities for the user to mess up something here.
Yubico provide a PKCS #11 module for yubikey's when configured in PIV mode. In fact it is installed as part of Fedora yubico-piv-tool package:
ftweedal% rpm -ql yubico-piv-tool | grep ykcs /usr/lib64/libykcs11.so.1 /usr/lib64/libykcs11.so.2.1.1
With that, then user can use OpenSSL, NSS or other tool to interface with the token to generate key and CSR. It is true that this nontrivial and easy for typical user to mess up. But it should not be much work to write a small script/program for users to use, and hide the tricky bits.
One more doubt appears here. I obviously wouldn't want the user to sign a certificate with different email in CSR than appears in their own LDAP object...
FreeIPA cert-request command validates the names in CSR againts the subject principal. For rfc822Name, the subject principal must have a matching 'mail' attribute value. So if user supplies CSR with wrong email, the request will be rejected.
Cheers, Fraser
freeipa-users@lists.fedorahosted.org