search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.73k stars 440 forks source link

[Bug]: Certificate renewal does not preserve Subject with ExtraNames #1106

Closed unreality closed 2 years ago

unreality commented 2 years ago

Steps to Reproduce

Create a new provisioner with a template that has ExtraNames in the Subject, eg:

{
  "subject": {
              "extraNames": [
                   { "type": "0.9.2342.19200300.100.1.25", "value":"com" },
                   { "type": "0.9.2342.19200300.100.1.25", "value":"example" },
                   { "type": "0.9.2342.19200300.100.1.25", "value":"dc" },
                   { "type": "2.5.4.11", "value":"Domain Controllers" },
                   { "type": "2.5.4.3", "value": {{ toJson .Subject.CommonName }} }
              ]
  },
  "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
  "keyUsage": ["keyAgreement", "digitalSignature"],
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}

Additionally Subject order is not preserved, so in some cases you may get Subject: CN=TestCert,OU-Domain Controllers

Your Environment

Expected Behavior

Subject should be preserved

Actual Behavior

Subject is re-written with missing ExtraNames

Additional Context

I had a quick look through the code and couldnt see a quick fix for this one, it seems step-ca parses the certificates using x509 pretty early on and then copies the Subject across, which is missing the ExtraNames

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

maraino commented 2 years ago

Thanks again @unreality, this should fix the issue #1123