How to handle multiple IPs in CSRParams ip_address field in gnoi cert

openconfig / gnoi

gRPC Network Operations Interface (gNOI) defines a set of gRPC-based microservices for executing operational commands on network devices.

Apache License 2.0

154 stars 67 forks source link

How to handle multiple IPs in CSRParams ip_address field in gnoi cert #31

Open matibens opened 4 years ago

matibens commented 4 years ago

Its quite common scenario that you want to cover multiple IPs in one certificate via subjectAltName, do you have any recommendation how to implement this in gnoi cert? Can we just send comma separated list of IPs in ip_address field and parse it on target?

samribeiro commented 4 years ago

Hi @matibens, the x509 Certificate IPAddresses SAN is clearly a list of IP addresses. Given that the gnoi cert proto states ip_address in singular I would settle that it only supports one IP address and avoid possible ambiguities by stating that it could use comma separated values. Therefore I believe we have a gap here that can be covered with a simple proto agumentation. Infact I think it would be of use to clearly state what are Extensions and what are SANs in the CSR.

matibens commented 4 years ago

Hi @samribeiro, do you mean something like repeated CertificateExtenstion message in CSRParams? CertificateExtenstion could include some oneof with messages for specific extensions. Or do you have something more sophisticated in mind?

samribeiro commented 4 years ago

For simplicity I would settle with just the SANs:

message CSRParams {

  <...>

  // SANs for x509 certificates.
  repeated string dns_names = 12
  repeated string email_addresses = 13
  repeated string ip_ddresses = 14
  repeated string uris = 15

}

matibens commented 4 years ago

That also works for us, thank you.