Adding a SAN to a certificate - how best to do this?

954 views
Skip to first unread message

Kurt Buff

unread,
Oct 8, 2021, 5:15:11 PM10/8/21
to ntsys...@googlegroups.com
All,

I have a Windows-based security application which needs a certificate from a trusted CA. Gettnig a commercial certificate is an option, but for reasons of money and security, I'd prefer to use our internal CA

The application has its own web server (java-based, AFAICT) and emits its own CSR, and documentation for the product says that a) the certificate must be generated from the CSR emitted by the application and b) the certificate requires a SAN.

However, the CSR doesn't specify a SAN (I verified that with OpenSSL), so AIUI, a SAN has to be added as part of the submittal process .

Therefore, I submitted the CSR to the CA, using the Additional Attributes field on the web page to add the SAN to the request, and a certificate was issued, and discovered there was no SAN on it - but that's actually a good thing, as the CA configuration required to.be able to use that method means that the CA can be abused to issue certificates with *any* SAN.

I've perused a number of pages [1], and none of the solutions I've seen seem to work for this situation, with the possible exception of [2], which looks more complex than I want to attempt for a one-off like this.

So, I'm a bit confused, and looking for some hint on how to proceed. Any thoughts appreciated.

Kurt


[1]
This proposed solution is seriously bad juju, because it opens the CA to abuse as mentioned above:

Using PolicyRequest.inf to add a SAN to a cert - but AFAIK, this replaces using a CSR - and this installation doesn't have one, though it looks easy enough to write one. If I'm wrong about that, I'd love to hear it.

[2]
This one looks interesting:


Philip Elder

unread,
Oct 8, 2021, 5:27:45 PM10/8/21
to ntsys...@googlegroups.com

Modifying things to suit the documentation post CSR won’t work since the initial parameters did not include it.

 

Catch-22 there bud.

 

I suggest reaching out to the vendor to see what’s up.

 

As a ghits and siggles try using the CSR to generate a certificate then run the completion process to see if it accepts it as.

 

I say bug otherwise either in the software or in the documentation.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5mT-NYTC%3DOj3MPdXoaxfoczmz5mHfaTkDAc-%3DCYZv60g%40mail.gmail.com.

Mike Leone

unread,
Oct 8, 2021, 5:33:12 PM10/8/21
to ntsys...@googlegroups.com
On Fri, Oct 8, 2021 at 5:27 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Modifying things to suit the documentation post CSR won’t work since the initial parameters did not include it.


I've added SANs to a certificate that weren't listed in the CSR (I use the CLI to submit the CSR, and add usually the IP address as a SAN, since most CSRs don't include that). But then, I'm talking about issuing the vets ourselves.
--
"Well, it wasn't actually dreadful. It was mildly lamentable."

Michael B. Smith

unread,
Oct 8, 2021, 6:00:40 PM10/8/21
to ntsys...@googlegroups.com

If you have your CA configured properly (Windows CA, I mean) then an admin has to approve requests that include SANs that weren’t submitted by LocalSystem.

 

But you definitely should be able to use Additional Attributes to add SANs if the template allows them.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Friday, October 8, 2021 5:15 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Adding a SAN to a certificate - how best to do this?

 

All,

--

Kurt Buff

unread,
Oct 9, 2021, 1:55:46 PM10/9/21
to ntsys...@googlegroups.com
Michael,

Based on your comment, I suspect the template is not well configured. Root and subordinate CAs are Server 2016

Settings on the web server template are at [1]. Assuming I'm correct, and the template is screwy, can I just update the template to fix any problems or should I duplicate and publish a new template

When I select to update the compatibility settings from 2003 to 2016, I get the following changes to the template reported in popups - that is, if I change the compatibility settings for the Certificate Recipient first. If I change the compatibility settings Certification Authority first only the last two settings it are displayed :

Certification Authority:
     Tab / Template Option
     Request Handling / Renew with the same key
     Request Handling / Authorize additional service accounts to access the private key
     Cryptography / Use alternate signature format
     Cryptography / Key Storage Provider
     Key Attestation / Required, if client is capable
     Key Attestation / Required
     Key Attestation / User credentials
     Key Attestation / Hardware certificate
     Key Attestation / Hardware key
     Key Attestation / Perform attestation only (do not include issuance policies)
     Issuance Requirements / Allow key based renewal
     Extensions / Basic Constraints
     Extensions / Enable requestor specified issuance policies
     Server / Do not store certificates and requests in the CA database
     Server / Do not include revocation information in issued certificates
    
Certificate recipient:
     Tab / Template Option
     Request Handling / For automatic renewal of smart card certificates, use the existing key if a new key cannot be created
     Subject Name / Use subject information from existing certificates for autoenrollment renewal requests


[1]
General tab:
     Validity period: 2 years
      Publish in Active Directory: not checked

Compatibility tab (This one seems way out of whack):
     Certification Authority: Windows server 2003
      Certificate recipient: Windows XP / Server 2003

Request Handling tab:
      Purpose: Signature and encryption
      All checkboxes unchecked

Cryptography tab (also seems badly configured):
     Provider Category (grayed out): Legacy Cryptography Service Provider (grayed out)
      Algorithm name (grayed out): Determined by CSP is only option in the dropdown list
      Minimum key size: 2048
     Choose which cryptographic providers can be used for requests:
     Requests must use oe of the following:
      - Microsoft RSA SChannel Cryptographic Provider
     - Microsoft DH SChannel Cryptographic Provider

Key Attestation tab:
     All grayed out, with notation that "Control is disabled due to compatibility settings

Extensions tab:
     Application Policies:
     - Server Authentication
     Basic Constraints:
     - The subject is an end entity
      Key Usage:
      - Signature requirements
      - Digital Signature
      - Allow key exchange only with key encryption
      - Critical Extension

Server tab:
     All grayed out, with notation that "Control is disabled due to compatibility settings

Issuance Requirements tab:
     Require the following for enrollment
     - Both checkboxes not selected
     Require the following for reenrollment: grayed out

Subject Name tab
     Radio button: Supply in the request
     - Use subject information from existing certificates for autoenrollment renew request: Disabled due to compatibility settings

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/cd675a69617546a68904658013b296c8%40smithcons.com.
Reply all
Reply to author
Forward
0 new messages