Missing constraint & agent verification of Subject Alternative Name (SAN) extension

[SilleBille]

This issue was migrated from Pagure Issue #2956.Originally filed by tokred on 2018-03-08

Currently, I am implementing Dogtag PKI 10.4 on Centos 7.3 in my company environment, primarily for TLS server certificates based on provided CSRs using caServerCert profile.

DNS FQDN in the subject's CN is deprecated for ages (RFC 2818 from '00), instead there is the Subject Alternative Name (SAN) extension with dNSName type. Fallback to CN is also deprecated since RFC 6125. Therefore, we need full SAN support.

I had to find out that there are two major features missing regarding the handling of SAN extensions:

• a constraint class for SAN, similar to subjectNameConstraint
• agent verification of the SAN content prior to approval (i.e. displaying in approval form), also similar to subject, to control issuing of certificates

This is really unfortunate, especially due to the increased (and legitimate) enforcement of proper SAN handling of Google Chrome, various libraries, etc.

Developing commonNameToSANDefault was great, but without the abovementioned functionality I am afraid it's only of little use. userExtensionDefault for OID 2.5.29.17 doesn't solve this either.

Any ideas for pragmatic solutions?

Best regards

[SilleBille]

Posted by ftweedal on 2018-03-11:

Hi tokred. Yes, this is a missing feature. The only practical workaround is if you use a profile with no way to directly input a SAN, then use CommonNameToSANDefault, and rely on SubjectNameConstraint to also validate the SAN. That means that there would be a maximum of one SAN dnsName, so this approach is of limited use.

Because you want a solution today, the only other approach I can suggest is to implement the constraint class yourself, and configure Dogtag to use it. We'll be happy to assist and you are welcome to contribute the code upstream.