You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a bosh user,
In order to work with certificate generated by bosh interpolate
I need the certificates to be compliant to specs where country code should be 2 digits
As a result, tools such as openssl improperly handle them, in particular when computing their Subject key identifier from their Subject: The invalid Country=USA (3 digits) is excluded. This prevents regenerating new certs with new expiration dates using openssl.
$ show-cert blobstore_ca.ca_new
Serial Number:
f6:b9:5c:fc:97:14:63:86:59:43:f0:9d:82:f4:2d:c6
Issuer: C = USA, O = Cloud Foundry, CN = default.blobstore-ca.bosh-internal
Validity
Not Before: Oct 17 12:16:58 2023 GMT
Not After : Oct 16 12:16:58 2025 GMT
Subject: C = USA, O = Cloud Foundry, CN = default.blobstore-ca.bosh-internal
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
94:EE:29:B3:BE:01:CB:36:93:8F:42:72:F7:A6:57:6E:8D:17:C5:78
X509v3 Authority Key Identifier:
45:C4:44:B9:63:4F:4A:CD:C8:A0:4C:28:31:37:60:6E:91:56:74:FE
Proposed fix
Add support for specifying country code in the variables option https://bosh.io/docs/director-certs/ as to enable opt-in for valid C=US instead of invalid C=USA
The text was updated successfully, but these errors were encountered:
gberche-orange
changed the title
Default generated x509 certificates have invalid 3 digits USA country code
Default interpolated x509 certificates have invalid 3 digits USA country code
Oct 18, 2023
Expected behavior
As a bosh user,
In order to work with certificate generated by bosh interpolate
I need the certificates to be compliant to specs where country code should be 2 digits
https://www.ietf.org/rfc/rfc2459.html
Observed behavior
Bosh cli interpolate https://bosh.io/docs/director-certs/ creates certificates where the country code is USA (3 digits) and thus invalid.
bosh-cli/vendor/github.com/cloudfoundry/config-server/types/certificate_generator.go
Lines 187 to 199 in 1a5b8fa
As a result, tools such as openssl improperly handle them, in particular when computing their Subject key identifier from their Subject: The invalid Country=USA (3 digits) is excluded. This prevents regenerating new certs with new expiration dates using openssl.
Proposed fix
Add support for specifying country code in the variables option https://bosh.io/docs/director-certs/ as to enable opt-in for valid C=US instead of invalid C=USA
bosh-cli/vendor/github.com/cloudfoundry/config-server/types/certificate_generator.go
Lines 28 to 37 in 1a5b8fa
/CC @ogrand
The text was updated successfully, but these errors were encountered: