Closed bemol38 closed 1 year ago
As you can see, the EST server rejected the request because of a missing value for subject.organization_unit.
Yes, it's a known bug. We've received the same bug report at https://github.com/Azure/iotedge/issues/6579 previously.
My first question would be: is there a way to look into what the CSR really contains ?
It's not logged anywhere by certd if that's what you're asking. You could compile your own debug build and step through with a debugger. Or you could spin up a tiny netcat server and set it as the EST endpoint.
Thank you @arsing. You answered my questions. To my understanding, to build a correct CSR, the identityd service would first need to access the full subject, if any. Either the subject would need to be written to the identityd 00-super.toml too, or it should be retrievable from identityd through an api call to certd, with a new api function (get_cert_subject ?), since the subject is available in the certd 00-super.toml. And the create_csr function would need to be rewritten too... And maybe more ...
@bemol38 we've triaged the bug and are working on a fix. Might be slotted for a slightly later release as we line up some other fixes and security patches. How urgent is this for you?
Hi @jlian First, thank you for working on a fix. I would be very happy to be able to test this fix before end of october.
Would you be able to have DigiCert configure the EST endpoint to not require organizational_unit (OU) field in the meantime?
Hi @jlian, To answer your question, yes, we are using as a temporary solution an EST end-point which does not require the OU field.
Hey folks, the change is merged (thanks @onalante-msft).
Ideally, we could have you try it before we take it for the release:
@bemol38 do you think you could give it a try this week?
Hi @jlian I gave a try this morning, and it worked. aziot service is able to build a CSR containing the OU field, as set in config.toml, and to send the CSR to our Digitcert EST Server, which now accepts it, and returns a certificate containing the OU field. The certificate lands in /var/lib/aziot/certd/certs, as expected. With that certificate, the automated provisioning is executed, the OU field is checked with a custom allocation policy and the device is registered to the IoTHub. So far so good :-) (What I did not test already is the certificate renewal.)
Thanks a lot for your valued assistance !
Thanks for fixing this!
Hi everybody, What I want to achieve is to provision my device to my DPS, using X509 certificate attestation, using as identity_cert a certificate issued by a Digicert EST end-point, which requires a CSR containing both a common_name (CN) and an organizational_unit (OU) fields. To authenticate to the EST server, a pre-existing "birth" certificate (according to our own terminology) is used, the key pair of which is stored in TPM.
Therefore my config.toml template looks like below, and the env variables are substituted with the envsubst command, before aziotctl config is applied.
By doing so, we get the following error (see end of the log):
As you can see, the EST server rejected the request because of a missing value for subject.organization_unit.
My first question would be: is there a way to look into what the CSR really contains ?
To check if the problem could come from the EST end-point, I first created a CSR manually:
which gave:
and then sent the CSR to the EST end-point:
one can see that the certificate could be issued:
What I also tried is to use the Certificate Service to send the CSR, after having created the needed config files in certd and keyd. With that files configured, I could submit the CSR with this command:
and got a valid certificate too. From this success I concluded that the problem is not sending the CSR but creating the CSR.
So my actual conclusion is: there is a problem with the CSR that the Identity Service is generating, and sending to the EST end-point
I would really appreciate any help to better diagnose the problem.