Skip to content

CertificateSigningRequest doesn't support URL SANs or isCA #80057

New issue
New issue
Closed
#84677
Closed
CertificateSigningRequest doesn't support URL SANs or isCA#80057
#84677
Labels
kind/featureCategorizes issue or PR as related to a new feature.sig/authCategorizes an issue or PR as relevant to SIG Auth.
@costinm

Description

@costinm
costinm
opened on Jul 11, 2019

What would you like to be added:
I created a CSR with URL-type SANs ( spiffee ), approved it - the generated cert includes the other SANs, but not the URL one.

The bug seems to be in cloudfare.cfssl.ParseCertificateRequest - the template doesn't copy from the CSR.

Why is this needed:
It would allow using the K8S CA to generate Istio or other Spiffee certificates, without having to run a separate CA.

Note that as a workaround I tried to create a CSR for an intermediary - but K8S generated a
cert that doesn't have 'Root=true'. This might be by design - would be good to document what parts of the CSR are supported, and maybe would be good to allow intermediaries to be signed.
I haven't figured why this is happening.

Including the used CSR and result:

-----BEGIN CERTIFICATE REQUEST-----
MIIC9zCCAd8CAQAwLDEqMCgGA1UEAxMhaW50ZXJtZWRpYXJ5LWNhMi5pc3Rpby1z
eXN0ZW0uc3ZjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2hArVPoz
QcgORqEXb/tqDhwuDzCDC0U1WNXh3A46c9Sf3o2V6QPEgahxz3/jqyHweBnT9KpC
vSNEltJTPKJEzSfck5BVevtt2TifrKN+zFT98fQZh/OT1jjxoTJtcckunoRFxrb7
RgOAf570SdQMila5Px1TcJK78AQ83+QxuUNOWpsnmlDWglRWrvy83yPlimsZc2mN
el+Vavy5MjuXdvFo+3mD+pxEK94J737mYaxJ5lw3E/+/TZRp2vnAO6uLRti6NXMb
eewy5fl4gHruRaOuedGyI1bQP8hdZ3xwKhjT5PzjOqdRwoU8uFK1IUr/EwayR4Lw
BIXWDRqCLYVUcwIDAQABoIGFMIGCBgkqhkiG9w0BCQ4xdTBzMF0GA1UdEQRWMFSC
EGludGVybWVkaWFyeS1jYTKCHWludGVybWVkaWFyeS1jYTIuaXN0aW8tc3lzdGVt
giFpbnRlcm1lZGlhcnktY2EyLmlzdGlvLXN5c3RlbS5zdmMwEgYDVR0TAQH/BAgw
BgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAo1bdu9/thKgFgdsbgM6dRdIBzXZa
iitted0Fp/s/Jx7jr9Ijemd3sEu/TLpKwOhxoVnlIHoRxtZCuKIEoqqwFWMilPn7
738NcKdN4RIrez43DQfNwXeuxTpQLmCOc64yGXSVLSYfHDlzm0bGgzV60syAl9zA
09enhqJwtZYzGk/Luz3QK0jzv73Q/5oESukiEQjG1+WD/VqU+24LAPlYLbi+q1lc
ATWwR3HtkIMgaKbpS4us+4b+lw50zGEcz+KVnP6G0PdB0M3pSyZJX6kiZxpeHdDC
4+BBUdWrYWV8yxU+2dkaQZNRIL4L2tEmXFg5hsS+fcXnBHPQiBgFjeXXMA==
-----END CERTIFICATE REQUEST-----
openssl req -in csr.pem -noout -text 
... 
X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0

Generated:
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIRAIYi2vf/UfvnpOuSjc66aeMwDQYJKoZIhvcNAQELBQAw
LzEtMCsGA1UEAxMkZTI1YTcwZmQtZjQyYy00YjFjLWI4MTEtNDlmMzU0NGJjNDI5
MB4XDTE5MDcxMTAwMjYwN1oXDTI0MDcwOTAwMjYwN1owLDEqMCgGA1UEAxMhaW50
ZXJtZWRpYXJ5LWNhMi5pc3Rpby1zeXN0ZW0uc3ZjMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA/QaF/Kj6zeJ4qAri9t2mm7dloQMU6XJ39/tzX0cOVI9W
cWS2AzIoTAyTQr7eYsjSUOe9P7pACPOYsXKY8SiLLx8iduiQd4l++0913AgtsGEJ
VjjzDKcO2jZGqNniE1jXFQ0Kc4bGR1xi3HuHy/8P4GQSowo4A9Tn3kcgPynowfnt
/iiLFtDuYXL8eLR2GpMkxbsDQ+Q4unfziCOMumTJUC44N0P76cU5eL7oFENxOfmr
xumOBDGDkhuHmfu38opMDF2UYYP+88B0sg/GeCGFjqNTGvUIk9BmCMNtr2QHm/6V
tSWp88suB5oqksVc7f1rUoqSxF4x1tqOHspE5dTiUwIDAQABo28wbTAMBgNVHRMB
Af8EAjAAMF0GA1UdEQRWMFSCEGludGVybWVkaWFyeS1jYTKCHWludGVybWVkaWFy
eS1jYTIuaXN0aW8tc3lzdGVtgiFpbnRlcm1lZGlhcnktY2EyLmlzdGlvLXN5c3Rl
bS5zdmMwDQYJKoZIhvcNAQELBQADggEBAJS0ARAS7RJBsnFMQ7GSxU850bq+JyX6
1lGeRlFqlhlVBTuXk1CYSh409Xxkab5DrPIIliydwdAEzpld+CxS03tFC+8qFrPv
1PvjYtsYcyQ1IoHfbXRwbVOrVWY6cnTSLLwrv1kjBG7wVTMLhJTLfJdMV1Qqu5nt
84/5m2XTILsyVfg6ew5usp2hUuuPT5WoZ2U1JOD3aBZcK1ecq+OFoFB57t/t2D+7
JM1OiEqsQ/G2eqi66/rC1oHQFIPw2I/bptng0RjfynvRlQwdvo/jMRwcfwUrpdJ8
PLsAiDLkGLvraNrgZCX4iiYNfQN3bbYbDBFGEegnr1x1fIWCOzuQess=
-----END CERTIFICATE-----

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.sig/authCategorizes an issue or PR as relevant to SIG Auth.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions