Bug 1477046 - Use CommonNameToSANDefault in default profile (new installs only) [rhel-7.4.z]
Use CommonNameToSANDefault in default profile (new installs only) [rhel-7.4.z]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
: ZStream
Depends On: 1475238
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-01 02:50 EDT by Oneata Mircea Teodor
Modified: 2017-09-05 07:23 EDT (History)
10 users (show)

See Also:
Fixed In Version: ipa-4.5.0-21.el7.1.2
Doc Type: If docs needed, set a value
Doc Text:
Previously, server certificates issued by IdM listed DNS naming information only in the Common Name (CN) field. However, recent web browsers have started to ignore CN in favor of the Subject Alt Name (SAN) extension. Consequently, these browsers did not recognize the certificates as valid. With this update, the CommonNameToSANDefault profile component has been added to the default certificate profile, and new IdM installations now list the DNS information correctly.
Story Points: ---
Clone Of: 1475238
Environment:
Last Closed: 2017-09-05 07:23:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oneata Mircea Teodor 2017-08-01 02:50:43 EDT
This bug has been copied from bug #1475238 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 2 Petr Vobornik 2017-08-01 02:54:26 EDT
master:
    1a35a2e213b46f3c5bb91d0f1b7fa05e8f051d4a (HEAD) Add CommonNameToSANDefault to default cert profile

ipa-4-5:
    33aa4c25a2c3d158e43978d8699c3776d0e06599 (HEAD) Add CommonNameToSANDefault to default cert profile
Comment 5 Fraser Tweedale 2017-08-02 07:06:45 EDT
Abhijeet,

To verify: install IPA afresh.  Use `ipa cert-request` to request a certificate
for a host or service, with the default profile (caIPAserviceCert).
DO include the host name in the CN.
DO NOT include a Subject Alt Name extension in the CSR.

The issued certificate should include the host name in the CN,
*and* in the Subject Alt Name extension as a DNS Name.
Comment 8 Abhijeet Kasurde 2017-08-03 04:22:28 EDT
Verified using following steps on IPA version :: 
ipa-server-4.5.0-21.el7_4.1.x86_64

# rpm -qa ipa-server
ipa-server-4.5.0-21.el7_4.1.x86_64

# cat > host1.cnf <<-EOF
> [ req ]
> prompt = no
> encrypt_key = no
>
> distinguished_name = dn
>
> [ dn ]
> commonName = host1.testrelm.test
> EOF
#
# openssl req -new -newkey rsa:2048 -keyout host1.key -sha256 -nodes -out host1.csr -config host1.cnf
Generating a 2048 bit RSA private key
........+++
...............+++
writing new private key to 'host1.key'
-----

# ls
host1.cnf  host1.csr  host1.key

# ipa host-add host1.testrelm.test --ip-address=192.168.10.1
--------------------------------
Added host "host1.testrelm.test"
--------------------------------
  Host name: host1.testrelm.test
  Principal name: host/host1.testrelm.test@TESTRELM.TEST
  Principal alias: host/host1.testrelm.test@TESTRELM.TEST
  Password: False
  Keytab: False
  Managed by: host1.testrelm.test

# ipa cert-request
  CSR: host1.csr
  Principal: host/host1.testrelm.test@TESTRELM.TEST
    Issuing CA: ipa
    Certificate: MIIEOTCCAyGgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODAyMTIxOTU1WhcNMTkwODAzMTIxOTU1WjA2MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRwwGgYDVQQDDBNob3N0MS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5qjtdEoN0GbLfSWFHKeDfCmh9jvvUkfH+9PxcsI25+tsi9o9pp4tSwLa5RCJCT4kyKIybnLFf9OrkcjHqKuv42IiYTwf33YnxiRHeOidEag/MOjlkaLFYLodosoiQ1fpfUKwSrw8hDL0DGT+Qdsd0JyX5GqLTgXHodvATLdZ94UduTp+i2nLIsiwwTOoTJJqf4Bt3smVqXLbPUkVA1tG8uUF5od/kt7XK7ggbQ1P4+Zzu8dLg4RBB3uDxXK2X6Y7/6Q7JsTo0chvdHk+yuZ6xQxfvutcXWmM8pz9YhVnJhdIt56azoDSnTgiDUTTetIUQtPoPgawaCHp1wGzyD17QIDAQABo4IBTjCCAUowHwYDVR0jBBgwFoAUWIbokdALY3qmQ3AsrT2SSSJR3rgwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFPwo9rUJuQErNRTmA6J08A0BOqg4MB4GA1UdEQQXMBWCE2hvc3QxLnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAHgWpyos8ShwSM36Gyr+HRMEw1+9qgBL7pXxoAqxrF6zg5djm9TDITTlRVH+o5efThJ1ves5Ek5sNQuF7EObhEz3E22GsA1JYbTW6e2j9FReKpp4Y3o1KHeyFH18AGfN6Y2k0VJsVZhDyhtrsTf6culZzGeLyaURQaKdZvTaQXspoG9/a9CJqdpxU9InXTMbh0FnKZiFiSxDcM55DmUnPAWHejVKOu/mU/ZGZN/6b617JmqzV1PfX+PjViG4KfXrg8HhLIyrOQrZXzt/as1naC55TzVd6pxDpU2RfN9tDCPAulCLwbgu0R+k18upyE7otKuN75SXyRc5qlaJtiGEE6s=
    Subject: CN=host1.testrelm.test,O=TESTRELM.TEST
    Subject DNS name: host1.testrelm.test
    Issuer: CN=Certificate Authority,O=TESTRELM.TEST
    Not Before: Wed Aug 02 12:19:55 2017 UTC
    Not After: Sat Aug 03 12:19:55 2019 UTC
    Serial number: 14
    Serial number (hex): 0xE
# ipa cert-show 14 --out=sample.cert
# openssl x509 -in sample.cert -text -noout | grep -A 1 Alternative
            X509v3 Subject Alternative Name:
                DNS:host1.testrelm.test

Marking BZ as verified.
Comment 16 Nikhil Dehadrai 2017-08-20 23:19:31 EDT
IPA-server-version: ipa-server-4.5.0-21.el7_4.1.2.x86_64

Verified the bug on the basis of following observations:
1. Verified that the upgrade from RHEL 7.1.z to RHEL 7.4.1.2 is successful.
2. Also, verified the bug with following observations for fresh installs:

See below:
-------------
[root@dhcp207-177 ~]# cat host.cnf 
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
[ dn ]
commonName = dhcp207-177.testrelm.test

[root@dhcp207-177 ~]# mv host.cnf hos1t.cnf 
[root@dhcp207-177 ~]# mv hos1t.cnf host1.cnf

[root@dhcp207-177 ~]# openssl req -new -newkey rsa:2048 -keyout host1.key -sha256 -nodes -out host1.csr -config host1.cnf
Generating a 2048 bit RSA private key
..........+++
.......................+++
writing new private key to 'host1.key'
-----
[root@dhcp207-177 ~]# cat host1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZZGhjcDIwNy0xNzcudGVzdHJlbG0udGVz
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnATcQ0hVKFzCW4ZIQ
rLLx9e/S+Yp7pnSIDA6OhTv4oU8avVRzFNvC/9DZQey/Agbtwbiht01jRBu25PyH
6tmPza4Wwi1/C/7OL6zhXHW7tNMjsM3hjUG6tE5wJhB1NaZ/v/gFO/nEk3B4v+Mp
kJdyxzMiC0KrSZBtnPo6rTTxwssyhHFQkWkfclu0mfilEpsnqVM3qYDfN7ZC8M5V
jTuow8+J2tWvssP5hmGOuCp8LTHEKTp+vx5ash79yV0bGnebOUlDT/dLQgJjMIKf
rHX556+Y5fCsdDOfMdFd1l2zUwCNFahBUdmEYxQHttfXv+XEWtJQ+TyYkUFIGNq/
CvUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBPikE+y7beGFRp3jQ+i3aaol9V
pQ4ADPBWqWh2enSRj+FovdM7XiC/TfI6D4Y19cjze8E+/KfBQghW1f9oY/VG+Xwq
CN0rtWIl686dZYA7deBPNYKfI+WvwipiLXtZaqHQN6mBWdns8gEfEHRZs+ejdiVk
7I3gx0XNEnxolQbHw77yxmfAAEt3ZrLHBjukQ0tmMmmU95t94jcC0Kz1uc24XDky
f9F0KfvbE9KdcMUuhGIV18YrWeADMI0XVd2l8e97u2B/fT43JhAabcZiSAApIqwv
Q/75yAJGoBDIvf0O1omk111Zs8181t5p0/GJeSYuAeUYwdF767M8C5c6VVy1
-----END CERTIFICATE REQUEST-----

[root@dhcp207-177 ~]# openssl req -in host1.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=dhcp207-177.testrelm.test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:27:01:37:10:d2:15:4a:17:30:96:e1:92:10:
                    ac:b2:f1:f5:ef:d2:f9:8a:7b:a6:74:88:0c:0e:8e:
                    85:3b:f8:a1:4f:1a:bd:54:73:14:db:c2:ff:d0:d9:
                    41:ec:bf:02:06:ed:c1:b8:a1:b7:4d:63:44:1b:b6:
                    e4:fc:87:ea:d9:8f:cd:ae:16:c2:2d:7f:0b:fe:ce:
                    2f:ac:e1:5c:75:bb:b4:d3:23:b0:cd:e1:8d:41:ba:
                    b4:4e:70:26:10:75:35:a6:7f:bf:f8:05:3b:f9:c4:
                    93:70:78:bf:e3:29:90:97:72:c7:33:22:0b:42:ab:
                    49:90:6d:9c:fa:3a:ad:34:f1:c2:cb:32:84:71:50:
                    91:69:1f:72:5b:b4:99:f8:a5:12:9b:27:a9:53:37:
                    a9:80:df:37:b6:42:f0:ce:55:8d:3b:a8:c3:cf:89:
                    da:d5:af:b2:c3:f9:86:61:8e:b8:2a:7c:2d:31:c4:
                    29:3a:7e:bf:1e:5a:b2:1e:fd:c9:5d:1b:1a:77:9b:
                    39:49:43:4f:f7:4b:42:02:63:30:82:9f:ac:75:f9:
                    e7:af:98:e5:f0:ac:74:33:9f:31:d1:5d:d6:5d:b3:
                    53:00:8d:15:a8:41:51:d9:84:63:14:07:b6:d7:d7:
                    bf:e5:c4:5a:d2:50:f9:3c:98:91:41:48:18:da:bf:
                    0a:f5
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         4f:8a:41:3e:cb:b6:de:18:54:69:de:34:3e:8b:76:9a:a2:5f:
         55:a5:0e:00:0c:f0:56:a9:68:76:7a:74:91:8f:e1:68:bd:d3:
         3b:5e:20:bf:4d:f2:3a:0f:86:35:f5:c8:f3:7b:c1:3e:fc:a7:
         c1:42:08:56:d5:ff:68:63:f5:46:f9:7c:2a:08:dd:2b:b5:62:
         25:eb:ce:9d:65:80:3b:75:e0:4f:35:82:9f:23:e5:af:c2:2a:
         62:2d:7b:59:6a:a1:d0:37:a9:81:59:d9:ec:f2:01:1f:10:74:
         59:b3:e7:a3:76:25:64:ec:8d:e0:c7:45:cd:12:7c:68:95:06:
         c7:c3:be:f2:c6:67:c0:00:4b:77:66:b2:c7:06:3b:a4:43:4b:
         66:32:69:94:f7:9b:7d:e2:37:02:d0:ac:f5:b9:cd:b8:5c:39:
         32:7f:d1:74:29:fb:db:13:d2:9d:70:c5:2e:84:62:15:d7:c6:
         2b:59:e0:03:30:8d:17:55:dd:a5:f1:ef:7b:bb:60:7f:7d:3e:
         37:26:10:1a:6d:c6:62:48:00:29:22:ac:2f:43:fe:f9:c8:02:
         46:a0:10:c8:bd:fd:0e:d6:89:a4:d7:5d:59:b3:cd:7c:d6:de:
         69:d3:f1:89:79:26:2e:01:e5:18:c1:d1:7b:eb:b3:3c:0b:97:
         3a:55:5c:b5

[root@dhcp207-177 ~]# echo Secret123|kinit admin
Password for admin@TESTRELM.TEST: 
[root@dhcp207-177 ~]# ipa host-find
--------------
1 host matched
--------------
  Host name: dhcp207-177.testrelm.test
  Principal name: host/dhcp207-177.testrelm.test@TESTRELM.TEST
  Principal alias: host/dhcp207-177.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: SHA256:qDGz/9kVFxJb2mfsZiDy58139blBpDnVZ2+y6Ilsm1k (ssh-rsa), SHA256:6JQV2LhmHewDBa1mCM2M7i2IkMv7KU+LnviumULmXAI (ecdsa-
                              sha2-nistp256), SHA256:hfuYtKLJnEGGkNuC1/wBQi3K+kwEKMIifnvT3fnEWdM (ssh-ed25519)
----------------------------
Number of entries returned 1
----------------------------
[root@dhcp207-177 ~]# ipa cert-request 
CSR: host1.csr
Principal: host/dhcp207-177.testrelm.test@TESTRELM.TEST
  Issuing CA: ipa
  Certificate: MIIERTCCAy2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODE4MTQ0MDI4WhcNMTkwODE5MTQ0MDI4WjA8MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSIwIAYDVQQDDBlkaGNwMjA3LTE3Ny50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCcBNxDSFUoXMJbhkhCssvH179L5inumdIgMDo6FO/ihTxq9VHMU28L/0NlB7L8CBu3BuKG3TWNEG7bk/Ifq2Y/NrhbCLX8L/s4vrOFcdbu00yOwzeGNQbq0TnAmEHU1pn+/+AU7+cSTcHi/4ymQl3LHMyILQqtJkG2c+jqtNPHCyzKEcVCRaR9yW7SZ+KUSmyepUzepgN83tkLwzlWNO6jDz4na1a+yw/mGYY64KnwtMcQpOn6/HlqyHv3JXRsad5s5SUNP90tCAmMwgp+sdfnnr5jl8Kx0M58x0V3WXbNTAI0VqEFR2YRjFAe219e/5cRa0lD5PJiRQUgY2r8K9QIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUL1uVNUeazZNekVCskDqifAIjnyQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDZt5E+3811S67+fKB0HtQGKt5xnMCQGA1UdEQQdMBuCGWRoY3AyMDctMTc3LnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAE5c2EnmsXMQGF2nMNO7BiwWnSVV9FuBhNnZWIjIHYEJKi5llz5DVRISrrTKQVrTCzGSyeTJcJGrQX4oU1uVT9YNMMmIGhJZfh3eTWZHk8wy5HdLUzMA99jXOkMylzcA5AUY77haEHsvnVm5KE5De7Q1jFgw1x/6gZdJwRkQvh4WbrxCySeOcdRNsYhXr4COJ9VyaaJJEfmo7SFxBFLiu3KbHeuHfjn/WcTCJRuUCKFwow1Z0au0p6ikJZ1F1hEEN6I3UrcYADWdnHqd1eU1N75l+JfcuMNslepHWkbPIbxvIUhMcGaE+StmYFFE+hwQ7a//cWbfd7rFDQyC0XzgUYQ=
  Subject: CN=dhcp207-177.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: dhcp207-177.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri Aug 18 14:40:28 2017 UTC
  Not After: Mon Aug 19 14:40:28 2019 UTC
  Serial number: 11
  Serial number (hex): 0xB
[root@dhcp207-177 ~]# ipa cert-show 11 --out=sample.cert
  Issuing CA: ipa
  Certificate: MIIERTCCAy2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODE4MTQ0MDI4WhcNMTkwODE5MTQ0MDI4WjA8MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSIwIAYDVQQDDBlkaGNwMjA3LTE3Ny50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCcBNxDSFUoXMJbhkhCssvH179L5inumdIgMDo6FO/ihTxq9VHMU28L/0NlB7L8CBu3BuKG3TWNEG7bk/Ifq2Y/NrhbCLX8L/s4vrOFcdbu00yOwzeGNQbq0TnAmEHU1pn+/+AU7+cSTcHi/4ymQl3LHMyILQqtJkG2c+jqtNPHCyzKEcVCRaR9yW7SZ+KUSmyepUzepgN83tkLwzlWNO6jDz4na1a+yw/mGYY64KnwtMcQpOn6/HlqyHv3JXRsad5s5SUNP90tCAmMwgp+sdfnnr5jl8Kx0M58x0V3WXbNTAI0VqEFR2YRjFAe219e/5cRa0lD5PJiRQUgY2r8K9QIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUL1uVNUeazZNekVCskDqifAIjnyQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDZt5E+3811S67+fKB0HtQGKt5xnMCQGA1UdEQQdMBuCGWRoY3AyMDctMTc3LnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAE5c2EnmsXMQGF2nMNO7BiwWnSVV9FuBhNnZWIjIHYEJKi5llz5DVRISrrTKQVrTCzGSyeTJcJGrQX4oU1uVT9YNMMmIGhJZfh3eTWZHk8wy5HdLUzMA99jXOkMylzcA5AUY77haEHsvnVm5KE5De7Q1jFgw1x/6gZdJwRkQvh4WbrxCySeOcdRNsYhXr4COJ9VyaaJJEfmo7SFxBFLiu3KbHeuHfjn/WcTCJRuUCKFwow1Z0au0p6ikJZ1F1hEEN6I3UrcYADWdnHqd1eU1N75l+JfcuMNslepHWkbPIbxvIUhMcGaE+StmYFFE+hwQ7a//cWbfd7rFDQyC0XzgUYQ=
  Subject: CN=dhcp207-177.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: dhcp207-177.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri Aug 18 14:40:28 2017 UTC
  Not After: Mon Aug 19 14:40:28 2019 UTC
  Serial number: 11
  Serial number (hex): 0xB
  Revoked: False
  Owner host: dhcp207-177.testrelm.test
[root@dhcp207-177 ~]# openssl x509 -in sample.cert -text -noout | grep -A 1 Alternative
            X509v3 Subject Alternative Name: 
                DNS:dhcp207-177.testrelm.test
[root@dhcp207-177 ~]# rpm -q ipa-server
ipa-server-4.5.0-21.el7_4.1.2.x86_64
[root@dhcp207-177 ~]#




Thus,on the basis of above observations, marking status of bug to "VERIFIED".
Comment 18 errata-xmlrpc 2017-09-05 07:23:13 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2568

Note You need to log in before you can comment on or make changes to this bug.