Red Hat Bugzilla – Bug 1356104
cert-show command does not display Subject Alternative Names
Last modified: 2017-08-01 05:37:23 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/6022 cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names. I think that this is quite important feature because this information helps to define scope when the certificate is usable.
master: https://fedorahosted.org/freeipa/changeset/0245d2aadf8b38ba68aeacf70761bd09ad927951 https://fedorahosted.org/freeipa/changeset/dae82b25bdfbec44e5db27a6fc353a46739ed8f5 https://fedorahosted.org/freeipa/changeset/e3acc3659c6349a0de837f9441c6324055d9a100 https://fedorahosted.org/freeipa/changeset/a381d888cd6effc480c373f19f6a0ecbf00c4182 https://fedorahosted.org/freeipa/changeset/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
master: b6a3c9dc74ccef6f8e7df4123670d7e11269198c cert-show: show validity in default output ipa-4-4: 0d8f8896db8ad3a1c91cacfb009640602552f55f cert-show: show validity in default output Was fixed with 4.5 rebase.
on ipa-server-4.5.0-9.el7 , Subject Other Name is still not showing in default cert-show output , only showing with --all option: # ipa cert-show 9 Issuing CA: ipa Certificate: (omitted) Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Thu May 25 14:26:58 2017 UTC Not After: Sun May 26 14:26:58 2019 UTC Serial number: 9 Serial number (hex): 0x9 Revoked: False Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST # ipa cert-show 9 --all Issuing CA: ipa Certificate: (omitted) Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST Subject Other Name: 1.3.6.1.4.1.311.20.2.3:DDVIVFRQL2libS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVA==, 1.3.6.1.5.2.2:MEigDxsNVEVTVFJFTE0uVEVTVKE1MDOgAwIBAaEsMCobBEhUVFAbImlibS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3Q= Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Thu May 25 14:26:58 2017 UTC Not After: Sun May 26 14:26:58 2019 UTC Fingerprint (SHA1): 85:ad:61:e0:86:67:f4:0b:f3:02:08:7e:4c:29:16:9f:9b:6a:ad:04 Fingerprint (SHA256): 26:d2:57:06:15:fa:1a:25:55:c7:e5:92:7b:33:48:a4:b3:93:ce:11:f8:2b:d2:76:ee:3d:4a:0b:00:c5:51:a3 Serial number: 9 Serial number (hex): 0x9 Revoked: False Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
SANs are there, but they don't contain "SAN" in label, look into this commit what the labels they can have: https://pagure.io/freeipa/c/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
Hello Fraser, I saw that you own the commit ,could you please add "SAN" in label ? Thanks
Xiyang, it is implicit that it is an alternative name. The "S" in "SAN" is for "Subject" after all. Furthermore, "SAN" is not an official abbreviation.
Thanks Fraser. Verified on ipa-server-4.5.0-9.el7, validity is shown in default output: # ipa cert-show 9 Issuing CA: ipa Certificate: (omitted) Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Thu May 25 14:26:58 2017 UTC Not After: Sun May 26 14:26:58 2019 UTC Serial number: 9 Serial number (hex): 0x9 Revoked: False Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304