search

grindsa / acme2certifier

library implementing ACME server functionality
GNU General Public License v3.0
173 stars 36 forks source link

[Question] organizationalUnitName not set from Openssl.cfg with #182

Closed mikekuzak closed 1 month ago

mikekuzak commented 1 month ago

Hi

I'm using mscertsrv_ca_handler to connect to our MSCert Server. I see the connection is working and I can get a certificated from Traefik. If there are way to set the organizationalUnitName (OU) and Organization (O) to be taken into account ? I have modified the /etc/ssl/openssl.cfg and added all the required field, but that doesn't seem to take effect.

Are there any specific steps I'm missing ? Thanks

grindsa commented 1 month ago

Hi,

the "Microsoft Certificate Web Enrollment Service" does unfortunately not allow a submission of OU or O attributes outside of the CSR. Acme2certifier cannot add these attributes to the CSR as this would break the CSR signature and the CSR would get rejected by the CA server. That means the attributes must bei either added by client or CA-Server. Not sure if Traefik or Microsoft-CA do support this but it worth to check the documentation.

/G.

mikekuzak commented 1 month ago

Ok thanks for the explanation. If I use MSCWES with curl requests and I supply a CRS that used a custom opnssl.cfg with these attributes set they do appear in the certificate. I looked at the Traefik docs and didn't find any way of setting this from the clients end. But if this is acme client specific then at least I know it can't be altererd in flight through the acme2certifier proxy.

On Fri, 6 Sept 2024, 09:05 grindsa, @.***> wrote:

Hi,

the "Microsoft Certificate Web Enrollment Service" does unfortunately not allow a submission of OU or O attributes outside of the CSR. Acme2certifier cannot add these attributes to the CSR as this would break the CSR signature and the CSR would get rejected by the CA server. That means the attributes must bei either added by client or CA-Server. Not sure if Traefik or Microsoft-CA do support this but it worth to check the documentation.

/G.

— Reply to this email directly, view it on GitHub https://github.com/grindsa/acme2certifier/issues/182#issuecomment-2333483708, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOPPA6N4SU4OUBICD5MB43ZVFO5BAVCNFSM6AAAAABNXPGEK6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZTGQ4DGNZQHA . You are receiving this because you authored the thread.Message ID: @.***>