Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

step ca certificate should warn when passed-in subject names are ignored #1271

Open
tashian opened this issue Sep 12, 2024 · 2 comments
Open

step ca certificate should warn when passed-in subject names are ignored #1271

tashian opened this issue Sep 12, 2024 · 2 comments
Assignees
@maraino
Labels
enhancement needs triage Waiting for discussion / prioritization by team

Comments

@tashian
Copy link
Contributor

tashian commented Sep 12, 2024

When I get a certificate using an OIDC provisioner, the --san I provide is silently ignored.
step should warn the user that the flag was ignored.

example output:

step ca certificate vpn --san strongswan.lan vpn.crt vpn.key --not-after 8784h
✔ Provisioner: authority-admin (OIDC) [client: de7774d8-a136-4e29-8450-026022a64ce4]
Your default web browser has been opened to visit:

https://auth.smallstep.com/oidc/auth?client_id=de77...

⚠️ Your subject name and --san flag were ignored. By default, OIDC provisioners issue certificates based on trusted OIDC token values only.
✔ CA: https://my.ca.smallstep.com
✔ Certificate: vpn.crt
✔ Private Key: vpn.key
@tashian tashian added enhancement needs triage Waiting for discussion / prioritization by team labels Sep 12, 2024
@tashian tashian changed the title step ca certificate should warn when --san is ignored step ca certificate should warn passed-in subject names are ignored Sep 12, 2024
@tashian tashian changed the title step ca certificate should warn passed-in subject names are ignored step ca certificate should warn when passed-in subject names are ignored Sep 12, 2024
@hslatman
Copy link
Member

  • Check if SANs are ignored in the request to the CA. If it is, it can be short-circuited in the CLI.

@maraino
Copy link
Collaborator

maraino commented Sep 24, 2024

A CSR with the given SANs is created. A certificate template can be used to set the SANs from the CSR instead of the default ones for an OIDC provisioner, the email and the account URI. Example of the CSR request:

-----BEGIN CERTIFICATE REQUEST-----
MIH1MIGcAgEAMA4xDDAKBgNVBAMTA3ZwbjBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABFtRPVaIF1eAqNRfJB1JRLjnzn/x1yjUP95Yn0P3SO+Ex7s3w5PSaoorSIUH
/h9e/LIZl971y1/PfC8Y7TcwsNqgLDAqBgkqhkiG9w0BCQ4xHTAbMBkGA1UdEQQS
MBCCDnN0cm9uZ3N3YW4ubGFuMAoGCCqGSM49BAMCA0gAMEUCIQDEN2e6NC24tpSa
ZJJgD8wZIbrVgrzN/nxrIRSIlqqEigIgNrP2wrIqkz5HtCy3UqgS0uMXRyuzw5MU
7XD43qiveK4=
-----END CERTIFICATE REQUEST-----

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
enhancement needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tashian @maraino @hslatman