As a bosh user,
In order to work with certificate generated by bosh interpolate
I need the certificates to be compliant to specs where country code should be 2 digits
As a result, tools such as openssl improperly handle them, in particular when computing their Subject key identifier from their Subject: The invalid Country=USA (3 digits) is excluded. This prevents regenerating new certs with new expiration dates using openssl.
$ show-cert blobstore_ca.ca_new
Serial Number:
f6:b9:5c:fc:97:14:63:86:59:43:f0:9d:82:f4:2d:c6
Issuer: C = USA, O = Cloud Foundry, CN = default.blobstore-ca.bosh-internal
Validity
Not Before: Oct 17 12:16:58 2023 GMT
Not After : Oct 16 12:16:58 2025 GMT
Subject: C = USA, O = Cloud Foundry, CN = default.blobstore-ca.bosh-internal
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
94:EE:29:B3:BE:01:CB:36:93:8F:42:72:F7:A6:57:6E:8D:17:C5:78
X509v3 Authority Key Identifier:
45:C4:44:B9:63:4F:4A:CD:C8:A0:4C:28:31:37:60:6E:91:56:74:FE
Proposed fix
Add support for specifying country code in the variables option https://bosh.io/docs/director-certs/ as to enable opt-in for valid C=US instead of invalid C=USA
Expected behavior
As a bosh user, In order to work with certificate generated by bosh interpolate I need the certificates to be compliant to specs where country code should be 2 digits
https://www.ietf.org/rfc/rfc2459.html
Observed behavior
Bosh cli interpolate https://bosh.io/docs/director-certs/ creates certificates where the country code is USA (3 digits) and thus invalid.
https://github.com/cloudfoundry/bosh-cli/blob/1a5b8fa77d38050e89b137f834760213ce04312c/vendor/github.com/cloudfoundry/config-server/types/certificate_generator.go#L187-L199
As a result, tools such as openssl improperly handle them, in particular when computing their Subject key identifier from their Subject: The invalid Country=USA (3 digits) is excluded. This prevents regenerating new certs with new expiration dates using openssl.
Proposed fix
Add support for specifying country code in the variables option https://bosh.io/docs/director-certs/ as to enable opt-in for valid C=US instead of invalid C=USA
https://github.com/cloudfoundry/bosh-cli/blob/1a5b8fa77d38050e89b137f834760213ce04312c/vendor/github.com/cloudfoundry/config-server/types/certificate_generator.go#L28-L37
/CC @ogrand