Feature #7666
closedAdding SAN DNS:username to User Certificates that are created via User Manager the same way as it is done via Cert. Manager
100%
Description
Adding SAN DNS:username to User Certificates that are created via User Manager same way as it is done via Cert. Manager¶
Way NO1 of creating User cert:¶
When creating Internal certificate of type User Certificate via
System > Cert. Manager > Certificates > Add
SAN field is added with DNS equal to username
Unless of course Alternative Names (FQDN (called DNS in $altname_types array as found in system_certmanager.php), IP, email, URI) in form are not overriden
is not "overridden" in this creation form.
The logic is located here https://github.com/pfsense/pfsense/blob/83d2b83af9953ecbcc5917d935f077e7dabe8e10/src/usr/local/www/system_certmanager.php#L448
where
$altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");
is set.
This results in user cert
emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV SAN: DNS: username EKU: TLS Web Client Authentication
Way NO2 of creating user cert:¶
When creating User via
System > User manager > Users > Add
and choosing to create user cert along the way no such thing happens
https://github.com/pfsense/pfsense/blob/fc1913fef29fbc7f90e8e2fe9374b761411f09ae/src/usr/local/www/system_usermanager.php
That results in user cert
emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV KU: Digital Signature, Non Repudiation, Key Encipherment EKU: TLS Web Client Authentication
(missing SAN field)
This SAN field is needed for cert based user authentication when handshaking TLS peer certificate in IKEv2 (isn't, it?)
Currently IT IS POSSIBLE (and I am using) way NO1 to generate User certificates for certificate based IKEv2 user authentication.
Meanwhile, for other user needs AS WELL AS cert based OpenVPN authentication one can (and I am) adding users via User manager, just clicking "create certificate" in the user adding process and everything works. In cert manager I can nicely see all user certificates, that are "In Use" to "User Cert" space.
This different behaviour makes things "loose" in terms of "user management / overview".
If User certificates that are created via System > User manager > Users > Add along creating the user itself contained SAN: DNS: username field, then these certificates could be used much broader.
My example case is that in user manager admin could clearly see all users (that are created for whatever reasons), but especially all users that are created for VPN access can be manage also from there (and no need to "manually" jump around and create certs in cert manager). Users certs that are created in user manager would work for both OpenVPN as well as IKEv2 use cases (my goal).
Thanks!
Updated by Reinis Adovics over 7 years ago
It could also be made optional in User Manager.
By default there is no SAN (just as now), but there would be possibility to add Alternative Names (FQDN, IP, email, URI) in Create Certificate for User when adding new user, just as in system_certmanager.php?act=new (thus to achieve SAN: DNS: username for the user certificate that is created along with the user one would have to specify FQDN value).
Updated by Jim Pingle over 7 years ago
- Status changed from New to Assigned
- Assignee set to Jim Pingle
Current certificate best practices are to have the CN be the first SAN, so it shouldn't be optional. That small initial form method is a little different though. It's easy to miss. I'll get it fixed up.
Updated by Reinis Adovics over 7 years ago
Thank you sooo much!
I am constantly sitting on the 2.4 beta edge (currently 2.4.0.b.20170627.1443), just let me now and I will test it.
Maybe the issue that for IKEv2 charon screams no trusted certificate found for 'username' to verify TLS peer when using user certificates that are created via User Manager, but gladly accepts "manually" created User Certificates lies elsewhere (not SAN DNS), but I doubt it.
Updated by Jim Pingle over 7 years ago
- Status changed from Assigned to Feedback
- % Done changed from 0 to 100
Applied in changeset b767fe6cdf7977916d2f245ea529f84f7e0d1f30.
Updated by Reinis Adovics almost 7 years ago
Pardon for late reply.
Yes, user certs that are (auto)generated via System > User manager > Users > Add now work with cert based IKEv2. Both on macOS and iOS. Haven't tested MSW yet though.
Thank you!