Project

General

Profile

Bug #8381

Cert manager requires fields that aren't necessary

Added by Justin Coffman over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
03/19/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Attempting to generate a CA or certificate via the cert management tool in the web GUI yields the following error:

"The field Distinguished name Email Address is required."

The emailAddress field is not required in any X.509v3-compliant certificate, unless that certificate is intended for use as an email signing certificate. According to RFC 5280, only a certificate intended to authenticate an email address (such as an email signing certificate) should include an email address at all, and even then, it must be done as an RFC822Name entry under the Subject Alternative Name extension.

Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities. Simultaneous inclusion of the emailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.

In fact, the ONLY attribute that is mandatory for the DistinguishedName field in a certificate is the CommonName attribute. All other attributes should be made optional in the web GUI.

Associated revisions

Revision 80d50253 (diff)
Added by Jim Pingle about 1 year ago

Conform CA/Cert fields to RFC 5280. Fixes #8381

Only required subject field is CN (for simplicity)
e-mail field deprecated from CA/Cert (can still be Cert SAN)

Revision 26e3967a (diff)
Added by Jim Pingle about 1 year ago

Group CA/Cert CN w/required options. Fixes #8381

Also add a note stating the other fields are optional.

History

#1 Updated by Justin Coffman over 1 year ago

Clarifying that last line:

RFC 3280 defines how the subject of a certificate or CA must be specified. Ideally, the web GUI would include logic to handle an RFC-compliant combination of cases, but reviewing section 4.1.2.6 gives the idea that this may be overly complicated. More reasonable would be to make the CommonName attribute required, and all others optional.

#2 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
  • Affected Version changed from 2.4.2_1 to All
  • Affected Architecture deleted (amd64)

#3 Updated by Justin Coffman over 1 year ago

FYI: RFC 5280 obsoletes RFC 3280, but provides the same guidance. I wasn't consistent previously, my apologies.

#4 Updated by Jim Pingle about 1 year ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Assigned
  • % Done changed from 100 to 80
  • Affected Architecture set to All

Still needs accounted for in the OpenVPN wizard.

#6 Updated by Jim Pingle about 1 year ago

  • Status changed from Assigned to Feedback
  • % Done changed from 80 to 100

#7 Updated by James Dekker about 1 year ago

On 2.4.4.a.20180720.1408, the only required field is common name to create a certificate. It is now possible to create a certificate via System > Certificate Manager and through the OpenVPN Wizard, providing only a common name.

#8 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF