Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1450629

Summary: pki utils should set SubjectAltName by default
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: PKIAssignee: Yedidyah Bar David <didi>
Status: CLOSED NOTABUG QA Contact: Pavel Stehlik <pstehlik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.1.8CC: astepano, bugs, ylavi
Target Milestone: ovirt-4.1.4Keywords: Reopened
Target Release: ---Flags: rule-engine: ovirt-4.1+
rule-engine: exception+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-06 13:16:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1449084    
Bug Blocks: 1449503    

Description Yedidyah Bar David 2017-05-14 06:10:22 UTC 
Description of problem:

bug 1449084 introduced a new option to the pki utils, '--san', to set the certificate's Subject Alternative Name. engine-setup was also patched by that bug to pass this option. However, these utils are sometimes called directly by end-users, and then do not set a SAN if the option is not used.

These utils should have a default, which IMO should be 'DNS:@CN@', where '@CN@' is the CN part of the Subject (which is mandatory).

Version-Release number of selected component (if applicable):

4.1.2

How reproducible:

Always

Steps to Reproduce:
1. engine-setup
2. /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="testname" --password=mypass --subject="$(openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -noout -subject | sed 's;subject= \(.*\);\1;')"
3. openssl x509 -in /etc/pki/ovirt-engine/certs/testname.cer -noout -text | grep -i -A1 'subject alt'

Actual results:

No output from last command

Expected results:

Output of last command looks like:

            X509v3 Subject Alternative Name: 
                DNS:some.dns.name

Additional info:

Without current bug, you can replace (2.) with the following command to see that '--san' does work:

/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="testname" --password=mypass --subject="$(openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -noout -subject | sed 's;subject= \(.*\);\1;')" --san=DNS:some.dns.name
Comment 1 Yaniv Lavi 2017-05-15 09:35:15 UTC 

*** This bug has been marked as a duplicate of bug 1444888 ***
Comment 2 Sandro Bonazzola 2017-06-12 07:49:01 UTC 
*** Bug 1444888 has been marked as a duplicate of this bug. ***
Comment 3 Yedidyah Bar David 2017-07-06 13:16:18 UTC 
Decided to close notabug.

Main reason is that it's hard to guess the required option type. For the engine-side entities ('apache', 'jboss', etc.), we very likely want 'DNS'. But for others, it might be 'DNS', or 'IP', or even something else in the future.

So better be safe, and require the caller to explicitly tell us.

See also:

https://security.stackexchange.com/questions/160787/ip-address-in-subjectaltname