smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.79k stars 445 forks source link

How to create a dns allow policy that can use sub-sub domains? #2053

Open akumar-xyz opened 3 weeks ago

akumar-xyz commented 3 weeks ago

Hello!

Affected area/feature

When configuring CA issuance policy, how to allow all sub-sub domains i.e. wildcard that expands to multiple labels?

For clarity:

  1. *.acme.com
    • MATCHES xyz.acme.com
    • NOT MATCH xyz.cloud.acme.com
  2. *.*.acme.com - NOT ALLOWED (cannot parse permitted URI domain constraint "*.*.acme.com": URI domain constraint "*.*.acme.com" can only have wildcard as starting character)
  3. .acme.com - NOT ALLOWED (cannot parse permitted domain constraint ".acme.com": domain constraint ".acme.com" with wildcard should start with *)

I also tried 3 because RFC5280 states:

When the constraint begins with a period, it MAY be expanded with one or more labels. That is, the constraint ".example.com" is satisfied by both host.example.com and my.host.example.com. However, the constraint ".example.com" is not satisfied by "example.com".

As far as I can tell, the matching rules are more similar to RFC2818 which would mean what I'm trying to do is not possible.

Is it possible to match for all sub-sub domains with just one rule? Something like **.acme.com? Is the only solution to maintain a list of subdomains as well?

hslatman commented 2 weeks ago

Hey @akumar-xyz, thank you for opening the issue.

For the current implementation we decided our issuance policies had to be simple to configure, and thus we decided to put limits on the usage of the wildcard to a single label. While it's true that the evaluation rules are similar to how X509 Name Constraints are defined and evaluated, they're not exactly the same, the main reason for which is to keep things simple.

If you need wildcards on multiple labels you'll indeed need to keep track of the subdomains, and define a rule for each. Or instead of using an issuance policy, you can implement a webhook receiver to fully control when a certificate is allowed to be signed using our webhooks support.