Project

General

Profile

Feature #7666

Adding SAN DNS:username to User Certificates that are created via User Manager the same way as it is done via Cert. Manager

Added by Reinis Adovics almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User manager
Target version:
Start date:
06/28/2017
Due date:
% Done:

100%

Estimated time:

Description

Adding SAN DNS:username to User Certificates that are created via User Manager same way as it is done via Cert. Manager

Way NO1 of creating User cert:

When creating Internal certificate of type User Certificate via
System > Cert. Manager > Certificates > Add
SAN field is added with DNS equal to username
Unless of course Alternative Names (FQDN (called DNS in $altname_types array as found in system_certmanager.php), IP, email, URI) in form are not overriden
is not "overridden" in this creation form.

The logic is located here https://github.com/pfsense/pfsense/blob/83d2b83af9953ecbcc5917d935f077e7dabe8e10/src/usr/local/www/system_certmanager.php#L448
where

$altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");

is set.

This results in user cert

emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV
SAN: DNS: username
EKU: TLS Web Client Authentication

Way NO2 of creating user cert:

When creating User via
System > User manager > Users > Add

and choosing to create user cert along the way no such thing happens
https://github.com/pfsense/pfsense/blob/fc1913fef29fbc7f90e8e2fe9374b761411f09ae/src/usr/local/www/system_usermanager.php

That results in user cert

emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication

(missing SAN field)

This SAN field is needed for cert based user authentication when handshaking TLS peer certificate in IKEv2 (isn't, it?)

Currently IT IS POSSIBLE (and I am using) way NO1 to generate User certificates for certificate based IKEv2 user authentication.
Meanwhile, for other user needs AS WELL AS cert based OpenVPN authentication one can (and I am) adding users via User manager, just clicking "create certificate" in the user adding process and everything works. In cert manager I can nicely see all user certificates, that are "In Use" to "User Cert" space.
This different behaviour makes things "loose" in terms of "user management / overview".

If User certificates that are created via System > User manager > Users > Add along creating the user itself contained SAN: DNS: username field, then these certificates could be used much broader.
My example case is that in user manager admin could clearly see all users (that are created for whatever reasons), but especially all users that are created for VPN access can be manage also from there (and no need to "manually" jump around and create certs in cert manager). Users certs that are created in user manager would work for both OpenVPN as well as IKEv2 use cases (my goal).

Thanks!

Associated revisions

Revision 2e1809dd (diff)
Added by Jim Pingle almost 2 years ago

Fix some additional cases for CN->SAN handling, and move some code to a function to avoid duplication for other pending uses. Ticket #7666

Revision b767fe6c (diff)
Added by Jim Pingle almost 2 years ago

Add the username as the first SAN when making a user certificate from the user manager creation screen. Fixes #7666

History

#1 Updated by Reinis Adovics almost 2 years ago

It could also be made optional in User Manager.
By default there is no SAN (just as now), but there would be possibility to add Alternative Names (FQDN, IP, email, URI) in Create Certificate for User when adding new user, just as in system_certmanager.php?act=new (thus to achieve SAN: DNS: username for the user certificate that is created along with the user one would have to specify FQDN value).

#2 Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Jim Pingle

Current certificate best practices are to have the CN be the first SAN, so it shouldn't be optional. That small initial form method is a little different though. It's easy to miss. I'll get it fixed up.

#3 Updated by Reinis Adovics almost 2 years ago

Thank you sooo much!
I am constantly sitting on the 2.4 beta edge (currently 2.4.0.b.20170627.1443), just let me now and I will test it.
Maybe the issue that for IKEv2 charon screams no trusted certificate found for 'username' to verify TLS peer when using user certificates that are created via User Manager, but gladly accepts "manually" created User Certificates lies elsewhere (not SAN DNS), but I doubt it.

#4 Updated by Jim Pingle almost 2 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Works fine now.

#6 Updated by Reinis Adovics over 1 year ago

Pardon for late reply.
Yes, user certs that are (auto)generated via System > User manager > Users > Add now work with cert based IKEv2. Both on macOS and iOS. Haven't tested MSW yet though.
Thank you!

Also available in: Atom PDF