Uploaded image for project: 'Product Technical Learning'
  1. Product Technical Learning
  2. PTL-7165

RH362-57: Add SubjectAltName to Describing certificates and CAs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • RH362 - RHEL9.1-en-1-20230829, RH362 - RHEL 7.4 1 20180531
    • RH362
    • 5
    • ILT, ROLE, VT
    • en-US (English)

      URL:
      Reporter RHNID:
      Section: -
      Language: en-US (English)
      Workaround:

      Description: Describing the IdM Certificate Authority

      Certificates (p134)

      Incude Subject Alternative Name (SAN) definitions and required use cases.

      Add in showing a certificate. In class I just view a certificate from the navigation bar in firefox, ideally an external one like access.redhat.com and then look at the details tab. In the text, you can print one out with an openssl x509 -noout -text -in /etc/ipa/ca.crt (note that  the ipa ca.crt file is a CA cert and to show the SAN, we need a server cert).

      Specifically, identify the "Subject" and then under Extentions the "Certificate Subject Alternative Name"

      Current applications, including most browsers, now verify ONLY off the SAN which allows multiple values and wildcards. They will not verify from the subject field. 

      Anyone who learned about certificates long ago - such as in RHS333 - is likely to take defaults and not specify a SAN which will then later fail to validate when clients try to connect.

      In the next section, this is related to the -D option on the ipa-getcert command but we do not mention the --extSAN option for certutil or the subjectAltName= option in the openssl.cnf.

              glsbugs-hybridcloud@redhat.com PTL - RHEL Team
              lauber Susan Lauber
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: