Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extension table doesn't show subject alternative name value #214

Open
TheBZKing opened this issue May 28, 2024 · 3 comments
Open

Extension table doesn't show subject alternative name value #214

TheBZKing opened this issue May 28, 2024 · 3 comments
Labels
non-issue Misconfiguration on client end or behavior is expected and by design

Comments

@TheBZKing
Copy link

TheBZKing commented May 28, 2024

I need to check the subject alternative DNS names before issuing a certificate but the Get-PendingRequest and Get-ADCSDatabaseRow both don't display the DNS names.

Connect-CertificationAuthority -ComputerName MyCA | Get-AdcsDatabaseRow -Table Extension -RowID 838 -Filter "ExtensionName -eq 2.5.29.17"

@Crypt32
Copy link
Collaborator

Crypt32 commented Aug 2, 2024

This means that SAN extension doesn't exist in request. I've checked this scenario in my CA:

PS C:\> Connect-CA | Get-AdcsDatabaseRow -Table Extension -RowID 1001423 -Filter "ExtensionName -eq 2.5.29.17"


ExtensionRequestId : 1001423
ExtensionName      : 2.5.29.17
ExtensionFlags     : 131072
ExtensionRawValue  : MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t

ExtensionNameOid   : System.Security.Cryptography.Oid
RowId              : 1001423
RequestId          : 0
ConfigString       : redacted\redacted
Table              : Extension
Properties         : {[ExtensionRequestId, 1001423], [ExtensionName, 2.5.29.17], [ExtensionFlags, 131072], [ExtensionRa
                     wValue, MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t
                     ]...}



PS C:\>

@Crypt32 Crypt32 added the non-issue Misconfiguration on client end or behavior is expected and by design label Aug 2, 2024
@TheBZKing
Copy link
Author

Hello,

Thank you for your time. Offcourse I've tested this with a PKI certificate with SAN extension and a filled in DNS name. Could you try this out on a certificate with SAN extention and show me the DNS name in the output? This does not work for me. =(

@Crypt32
Copy link
Collaborator

Crypt32 commented Aug 6, 2024

You need to look into ExtensionRawValue which contains ASN.1-encoded SAN extension (in this particular case). You can decode it this way:

PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> ipmo pspki
PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> $asnEncoded = New-Object System.Security.Cryptography.AsnEncodedData (,$bin)
PS C:\> $san = New-Object SysadminsLV.PKI.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $asnEncoded,$false
PS C:\> $san

AlternativeNames                                      Critical Oid                                  RawData
----------------                                      -------- ---                                  -------
{Other Name:Principal Name=administrator@contoso.com}    False Subject Alternative Name (2.5.29.17) {48, 43, 160, 41...


PS C:\> $san.AlternativeNames

             Type OID                                     Value                     RawData
             ---- ---                                     -----                     -------
UserPrincipalName Principal Name (1.3.6.1.4.1.311.20.2.3) administrator@contoso.com {160, 41, 6, 10...}


PS C:\>

$san.AlternativeNames contains a collection of all SAN entries in extension.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
non-issue Misconfiguration on client end or behavior is expected and by design
Projects
None yet
Development

No branches or pull requests

2 participants