Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-38327

Doc confusion that will create a problem when deploying a custom certificate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • Documentation, Networking
    • False
    • sat-rocket
    • None
    • None
    • None
    • None

      Description of problem:

      Doc confusion that will create a problem when deploying a custom certificate

       

      At this moment, in chapter 4.12.1 "4.12.1. Creating a custom SSL certificate for Satellite Server", we can see the template for openssl.cnf file, continuing, we can see some optional fields that we can add. Let me present the current scenario

       

      openssl.cnf template

       

      [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = satellite.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = satellite.example.com

       

      Then, we can see the optional fields

       

      [req_distinguished_name]
CN = satellite.example.com
countryName = My_Country_Name 1
stateOrProvinceName = My_State_Or_Province_Name 2
localityName = My_Locality_Name 3
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name 4

       

      At the end of the process, let me add just the req_distinguished_name section

       

      [ req_distinguished_name ] 
commonName = satellite.example.com
CN = satellite.example.com 

countryName = My_Country_Name 1
stateOrProvinceName = My_State_Or_Province_Name 2 
localityName = My_Locality_Name 3 
organizationName = My_Organization_Or_Company_Name 
organizationalUnitName = My_Organizational_Unit_Name 4

       

      As a consequence, we can see two entries for CN, for the certificate, it's not a problem. However, for the katello-cert-checks, yes, this is a problem.

       

      My recommendation here should be to keep the same value, this will avoid confusion, or you can mention that the customer can add OR CN OR commonName, but not both.

       

       

      This could be a nice example for the optional

      [ req_distinguished_name ] 
commonName = satellite.example.com

countryName = My_Country_Name 1
stateOrProvinceName = My_State_Or_Province_Name 2 
localityName = My_Locality_Name 3 
organizationName = My_Organization_Or_Company_Name 
organizationalUnitName = My_Organizational_Unit_Name 4

       

       

       

      How reproducible:

      100%

       

      Is this issue a regression from an earlier version:

       

      Steps to Reproduce:

      1. Adding CN and commonName to the CSR

      2. Whenever installing satellite, katello-certs-check will fail

      3.

      Actual behavior:
      The information could cause some confusion for professionals who are not familiar with SSL releated topics

       

      Expected behavior:
      Keep the information simple, and free of doubts.

       

      Business Impact / Additional info:

       

              Unassigned Unassigned
              rhn-support-wpinheir Waldirio Pinheiro
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: