



Feature #7666


Adding SAN DNS:username to User Certificates that are created via User Manager the same way as it is done via Cert. Manager

Added by Reinis Adovics over 7 years ago. Updated about 7 years ago.

User Manager / Privileges
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


Adding SAN DNS:username to User Certificates that are created via User Manager same way as it is done via Cert. Manager

Way NO1 of creating User cert:

When creating Internal certificate of type User Certificate via
System > Cert. Manager > Certificates > Add
SAN field is added with DNS equal to username
Unless of course Alternative Names (FQDN (called DNS in $altname_types array as found in system_certmanager.php), IP, email, URI) in form are not overriden
is not "overridden" in this creation form.

The logic is located here

$altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");

is set.

This results in user cert

emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV
SAN: DNS: username
EKU: TLS Web Client Authentication

Way NO2 of creating user cert:

When creating User via
System > User manager > Users > Add

and choosing to create user cert along the way no such thing happens

That results in user cert

emailAddress=some@email.tld, ST=Riga, O=MYORG, L=Riga, CN=username, C=LV
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication

(missing SAN field)

This SAN field is needed for cert based user authentication when handshaking TLS peer certificate in IKEv2 (isn't, it?)

Currently IT IS POSSIBLE (and I am using) way NO1 to generate User certificates for certificate based IKEv2 user authentication.
Meanwhile, for other user needs AS WELL AS cert based OpenVPN authentication one can (and I am) adding users via User manager, just clicking "create certificate" in the user adding process and everything works. In cert manager I can nicely see all user certificates, that are "In Use" to "User Cert" space.
This different behaviour makes things "loose" in terms of "user management / overview".

If User certificates that are created via System > User manager > Users > Add along creating the user itself contained SAN: DNS: username field, then these certificates could be used much broader.
My example case is that in user manager admin could clearly see all users (that are created for whatever reasons), but especially all users that are created for VPN access can be manage also from there (and no need to "manually" jump around and create certs in cert manager). Users certs that are created in user manager would work for both OpenVPN as well as IKEv2 use cases (my goal).



Also available in: Atom PDF