Project

General

Profile

Actions

Feature #7666

closed

Adding SAN DNS:username to User Certificates that are created via User Manager the same way as it is done via Cert. Manager

Added by Reinis Adovics over 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
06/28/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Adding SAN DNS:username to User Certificates that are created via User Manager same way as it is done via Cert. Manager

Way NO1 of creating User cert:

When creating Internal certificate of type User Certificate via
System > Cert. Manager > Certificates > Add
SAN field is added with DNS equal to username
Unless of course Alternative Names (FQDN (called DNS in $altname_types array as found in system_certmanager.php), IP, email, URI) in form are not overriden
is not "overridden" in this creation form.

The logic is located here https://github.com/pfsense/pfsense/blob/83d2b83af9953ecbcc5917d935f077e7dabe8e10/src/usr/local/www/system_certmanager.php#L448
where

$altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");

is set.

This results in user cert

emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV
SAN: DNS: username
EKU: TLS Web Client Authentication

Way NO2 of creating user cert:

When creating User via
System > User manager > Users > Add

and choosing to create user cert along the way no such thing happens
https://github.com/pfsense/pfsense/blob/fc1913fef29fbc7f90e8e2fe9374b761411f09ae/src/usr/local/www/system_usermanager.php

That results in user cert

emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication

(missing SAN field)

This SAN field is needed for cert based user authentication when handshaking TLS peer certificate in IKEv2 (isn't, it?)

Currently IT IS POSSIBLE (and I am using) way NO1 to generate User certificates for certificate based IKEv2 user authentication.
Meanwhile, for other user needs AS WELL AS cert based OpenVPN authentication one can (and I am) adding users via User manager, just clicking "create certificate" in the user adding process and everything works. In cert manager I can nicely see all user certificates, that are "In Use" to "User Cert" space.
This different behaviour makes things "loose" in terms of "user management / overview".

If User certificates that are created via System > User manager > Users > Add along creating the user itself contained SAN: DNS: username field, then these certificates could be used much broader.
My example case is that in user manager admin could clearly see all users (that are created for whatever reasons), but especially all users that are created for VPN access can be manage also from there (and no need to "manually" jump around and create certs in cert manager). Users certs that are created in user manager would work for both OpenVPN as well as IKEv2 use cases (my goal).

Thanks!

Actions #1

Updated by Reinis Adovics over 7 years ago

It could also be made optional in User Manager.
By default there is no SAN (just as now), but there would be possibility to add Alternative Names (FQDN, IP, email, URI) in Create Certificate for User when adding new user, just as in system_certmanager.php?act=new (thus to achieve SAN: DNS: username for the user certificate that is created along with the user one would have to specify FQDN value).

Actions #2

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Jim Pingle

Current certificate best practices are to have the CN be the first SAN, so it shouldn't be optional. That small initial form method is a little different though. It's easy to miss. I'll get it fixed up.

Actions #3

Updated by Reinis Adovics over 7 years ago

Thank you sooo much!
I am constantly sitting on the 2.4 beta edge (currently 2.4.0.b.20170627.1443), just let me now and I will test it.
Maybe the issue that for IKEv2 charon screams no trusted certificate found for 'username' to verify TLS peer when using user certificates that are created via User Manager, but gladly accepts "manually" created User Certificates lies elsewhere (not SAN DNS), but I doubt it.

Actions #4

Updated by Jim Pingle over 7 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

Works fine now.

Actions #6

Updated by Reinis Adovics about 7 years ago

Pardon for late reply.
Yes, user certs that are (auto)generated via System > User manager > Users > Add now work with cert based IKEv2. Both on macOS and iOS. Haven't tested MSW yet though.
Thank you!

Actions

Also available in: Atom PDF