packaging: setup: pki: Set subjectAltName

pki-enroll-request.sh is able to set the subjectAltName (SAN). The CA forum baseline requirements declares subjectAltName as required. Google Chrome seems to require the subjectAltName set in server certificates, and urllib3 generates warnings, if subjectaltName is not set. Change-Id: I022976407f0a8be14a6bde06da553c0d3348f7e7 Bug-Url: https://bugzilla.redhat.com/1449084 Signed-off-by: Dominik Holler <dholler@redhat.com>
oVirt · May 10, 2017 · d8a8f85 · d8a8f85
1 parent 2017c30
commit d8a8f85
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 5 deletions.
diff --git a/packaging/bin/pki-enroll-pkcs12.sh b/packaging/bin/pki-enroll-pkcs12.sh
@@ -6,7 +6,8 @@ enroll() {
  local subj="$3"
  local ovirt_ku="$4"
  local ovirt_eku="$5"
- local keep_key="$6"
+ local ovirt_san="$6"
+ local keep_key="$7"
 
  local req="${PKIDIR}/requests/${name}.req"
  local cert="${PKIDIR}/certs/${name}.cer"
@@ -49,6 +50,7 @@ enroll() {
  --subject="${subj}" \
  --ku="${ovirt_ku}" \
  --eku="${ovirt_eku}" \
+ --san="${ovirt_san}" \
  || die "Cannot sign request"
 
  touch "${pkcs12}"
@@ -77,6 +79,7 @@ Result will be at ${PKIDIR}/keys/PREFIX.p12
  --subject=subject X.500 subject name.
  --ku=ku optional custom key usage.
  --eku=ekus optional custom extended key usage.
+ --san=san optional X.509 subject alternative name.
  --keep-key reissue certificate based on previous request.
 __EOF__
 }
@@ -111,6 +114,9 @@ while [ -n "$1" ]; do
  --eku=*)
  OVIRT_EKU="${v}"
  ;;
+ --san=*)
+ OVIRT_SAN="${v}"
+ ;;
  --keep-key)
  KEEP_KEY="1"
  ;;
@@ -129,4 +135,4 @@ done
 [ -n "${PASSWORD}" ] || die "Please specify password"
 [ -n "${SUBJECT}" ] || die "Please specify subject"
 
-enroll "${NAME}" "${PASSWORD}" "${SUBJECT}" "${OVIRT_KU}" "${OVIRT_EKU}" "${KEEP_KEY}"
+enroll "${NAME}" "${PASSWORD}" "${SUBJECT}" "${OVIRT_KU}" "${OVIRT_EKU}" "${OVIRT_SAN}" "${KEEP_KEY}"
diff --git a/packaging/bin/pki-enroll-request.sh b/packaging/bin/pki-enroll-request.sh
@@ -6,6 +6,7 @@ sign() {
  local days="$3"
  local ovirt_ku="$4"
  local ovirt_eku="$5"
+ local ovirt_san="$6"
 
  local req="requests/${name}.req"
  local cert="certs/${name}.cer"
@@ -15,10 +16,12 @@ sign() {
  local EXTRA_COMMAND
  if openssl x509 -text -in ca.pem | grep "Subject Key Identifier" > /dev/null; then
  local extsection="v3_ca"
+ [ -n "${ovirt_san}" ] && extsection="v3_ca_san"
  [ -n "${ovirt_ku}" -o -n "${ovirt_eku}" ] && extsection="custom"
  EXTRA_COMMAND="-extfile cert.conf -extensions ${extsection}"
  fi
- OVIRT_KU="${ovirt_ku}" OVIRT_EKU="${ovirt_eku}" openssl ca \
+ OVIRT_KU="${ovirt_ku}" OVIRT_EKU="${ovirt_eku}" OVIRT_SAN="${ovirt_san}" \
+ openssl ca \
  -batch \
  -policy policy_match \
  -config openssl.conf \
@@ -48,7 +51,8 @@ Certificate will be available at: ${PKIDIR}/certs/PREFIX.cer
  --subject=subject X.500 subject name.
  --days=n issue days.
  --ku=ku optional custom key usage.
- --eku=ekus optional custom extended key usage
+ --eku=ekus optional custom extended key usage.
+ --san=san optional X.509 subject alternative name.
  --timeout=n lock timeout, default=20
 __EOF__
 }
@@ -86,6 +90,9 @@ while [ -n "$1" ]; do
  --eku=*)
  OVIRT_EKU="${v}"
  ;;
+ --san=*)
+ OVIRT_SAN="${v}"
+ ;;
  --timeout=*)
  TIMEOUT="${v}"
  ;;
@@ -141,7 +148,7 @@ done
 (
  flock -e -w "${TIMEOUT}" 9 || die "Timeout waiting for lock. Giving up"
  cd "${PKIDIR}"
- sign "${NAME}" "${SUBJECT}" "${DAYS}" "${OVIRT_KU}" "${OVIRT_EKU}"
+ sign "${NAME}" "${SUBJECT}" "${DAYS}" "${OVIRT_KU}" "${OVIRT_EKU}" "${OVIRT_SAN}"
 ) 9< "${LOCK}"
 result=$?
 

diff --git a/packaging/pki/cert.template.in b/packaging/pki/cert.template.in
@@ -12,13 +12,25 @@ x509_extensions = v3_ca
 
 [v3_ca]
 
+# On updating this section, [v3_ca_san] may be updated, too.
 subjectKeyIdentifier = hash
 authorityInfoAccess = caIssuers;URI:@AIA@
 authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = CA:false
 keyUsage = critical,digitalSignature,keyEncipherment
 extendedKeyUsage = critical,serverAuth,clientAuth
 
+[v3_ca_san]
+
+# This section is a copy of the section [v3_ca] extended by subjectAltName.
+subjectKeyIdentifier = hash
+authorityInfoAccess = caIssuers;URI:@AIA@
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:false
+keyUsage = critical,digitalSignature,keyEncipherment
+extendedKeyUsage = critical,serverAuth,clientAuth
+subjectAltName = ${ENV::OVIRT_SAN}
+
 [custom]
 subjectKeyIdentifier = hash
 authorityInfoAccess = caIssuers;URI:@AIA@

diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
@@ -210,6 +210,11 @@ def _enrollCertificate(self, name, uninstall_files, keepKey=False):
  self.environment[osetupcons.ConfigEnv.FQDN],
  ),
  ),
+ '--san=DNS:%s' % (
+ self._subjectComponentEscape(
+ self.environment[osetupcons.ConfigEnv.FQDN],
+ ),
+ ),
  ) + (('--keep-key',) if keepKey else ())
  )
  uninstall_files.extend(