I am trying to implement Mutual Authentication in Kubernetes, I am able to create the certificate and able to configure it into the cluster too, But I am getting error when I send certificate from client side.
So here is the problem
When I create the certificate I have to give Common Name. This field must contain a fully qualified domain name.
Since my domain name is very long 93 characters, it is not allowing me to enter my domain name,
My doubt is, is it mandatory to have full domain Name in Common Name field while generating the certificate, or do we have any workaround for this.
TIA
You can provide the Fully Qualified Domain Named(FQDN) in Subject Alternative Name instead of Common Name. Subject Alternative Name don't have the limitation of 64 characters.
The general rule is that the domain is checked against all SANs and the common name. If the domain is found there, then the certificate is ok for connection.
RFC 5280, section 4.1.2.6 says "The subject name MAY be carried in the subject field and/or the subjectAltName extension". This means that the domain name must be checked against both SubjectAltName extension and Subject property (namely it's common name parameter) of the certificate. These two places complement each other, and not duplicate it. And SubjectAltName is a proper place to put additional names, such as www.domain.com or www2.domain.com
As per RFC 6125, published in '2011 the validator must check SAN first, and if SAN exists, then CN should not be checked. Note, that the RFC 6125 is relatively recent and there still exist certificates and CAs that issue certificates, which include the "main" domain name in CN and alternative domain names in SAN. I.e. by excluding CN from validation if SAN is present, you can deny some otherwise valid certificate
Related
If I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com.
Will I get the green lock even if assets.example2.com does not have a certificate, but assets.example.com does?
Whether your DNS entry uses a CNAME or an A record doesn't matter. What matters is the host name the client is trying to connect to. It must match one of the Subject Alternative Names in the certificate of the server providing that resource (or, failing that, it must match the CN RDN of the cert's Subject DN).
If https://www.example.com embeds an image to https://assets.example.com (providing both are served over HTTPS with valid certificates for each) and if there is no mixed content (no resource loaded over http://, that is no JavaScript, no image, no iframe, ...) then you should get the green/blue bar as appropriate.
If assets.example.com is a CNAME to assets.example2.com and the requests are made to https://assets.example.com, this machine must present a certificate valid for assets.example.com to the client.
In addition, if multiple certificates need to be used at the same time on this IP address (and same port), support for Server Name Indication (SNI) may be required.
Alternatively, having a single certificate that supports all these names, typically via multiple Subject Alternative Name (SANs) entries, or possibly via wildcard names (which are not recommended), may be used.
This is independent of the DNS resolution mechanism (CNAME or A record).
This may be a trivial question but a friend asked me this the other day and I couldn't explain it properly.
So, as far as I know, a TSL certificate contains (among others) the name of the subject and some information used to generate the public key.
The subject would be a domain name like www.example.com
Of course, the name of the domain(s) must be included so that only the certificate for example.com and be used on example.com and not the certificate of another domain (certificate swapping).
But (!) it is somehow anchored in my brain that the certificate also identifies the owner (person) in some fashion and proves that the domain is owned by an identified human.
Is this not the case? Is the purpose of a TLS certificate really just mapping public-key-information to a domain name?
Thanks.
I work with a web application used by several business units in my organization. The application is accessed using a general URL http://app/ but some of the units use a business friendly URL e.g. http://bu1/, http://bu2/ etc.
The application is soon to be integrated with a portal that requires it to be configured to use SSL and I was advised to request a certificate using a fully qualified domain name so I went with app.company.com. The certificate has been installed on the server and users access it using https://app.company.com/.
However I would also like them to be able to use https://app/ or https://bu1/ or http://bu1/ etc. I'm not clear on how to do this, I think I have the following options:
Should I have requested a certificate without using the fully qualified domain name, just the CNAME?
I keep coming across subject alternative names but they appear to relate to different domains and I'd rather the users didn't need to use a domain at all. 3. Shoud I be looking for a wildcard certificate instead? I think one of the posts on here says they are not recommended.
Do I need a certificate per domain?
Many thanks for any advice!
SSL certificate providers will not hand out a certificate unless it lists a fully qualified domain name that you own through a registrar, so you will not be able to get a signed certificate for https://app/ for instance.
What you need to do in this case, if you really want users to be able to access your app through https://app/, is to create your own self-signed SSL certificate, then insert the certificate into the browser's trusted certificate list on every computer in the company.
For this use case you should set up a certification authority inside your company and issue certificates for the internal domains using your own CA. You'll have to make sure that the computers inside your company trust your root CA certificate automatically.
Also, you can't buy SSL certificates for an internal domain name/reserved IP address anymore.
From the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0 (emphasis is mine):
9.2.1 Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name. Address or Internal Server Name.
A PCI Compliance scanner is balking that the self signed SSL certificate protecting secure access to Plesk Panel contains a name mismatch between the location of the Plesk Panel and the name on the certificate, namely the self-signed cert's name is "Parallels" and the domain to reach Plesk is 'ip address:8443'.
So I figured I would go ahead and get a free SSL certificate to try to fiddle with this error. But when I generated the certificate I used my server domain name as the site name when I generated the certificate. So if I visit 'domain name:8443' all is fine, no ssl warning. But if I visit 'ip address:8443' (which I believe is what the scanner does) I get the certificate name mismatch error, Digicert's ssl checker says that the certificate name should be the ip address.
Can I even generate a certificate whose common name is the ip address? I am tempted to say I should just do what the PCI scanner accepts, but what is really the correct common name to use? Anybody run into this issue before?
You can try a Subject Alternative Name extension for the IP address. Also, you can keep "Parallels" as the Common Name, and add a Subject Alternative Name extension for the DNS name, which should be the preferred match (i.e. higher precedence than Common Name.)
Can I even generate a certificate whose common name is the ip address?
No, you shouldn't. While this may work with some browser, this will fail with clients that are compliant with the HTTPS specification:
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
If you want to use an IP address in a certificate, you must have it in as a Subject Alternative Name (of type IP address, not DNS). You can check this question for details on how to do this.
However, more importantly, it sounds like in your case you don't need to use the IP address at all.
The purpose of certificate name verification is to check that the identity in the certificate matches the identity as requested by the client. (Reverse lookups or other names don't matter.)
The fact that you've already configured your system for your domain name and that it works when using the name means that it's already configured properly. It sounds like your giving your scanning tool the IP address of what you're trying to scan (which isn't what the clients would normally use): make it use your host name instead. That's what the scanning tool should try to compare anyway.
Can I even generate a certificate whose common name is the ip address?
(Thanks Bruno for pointing to right solution) There is enough to set subjectAltName in CSR.
IFAIK there is no such option in Plesk, but here good instruction for openssl http://apetec.com/support/GenerateSAN-CSR.htm
If I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com.
Will I get the green lock even if assets.example2.com does not have a certificate, but assets.example.com does?
Whether your DNS entry uses a CNAME or an A record doesn't matter. What matters is the host name the client is trying to connect to. It must match one of the Subject Alternative Names in the certificate of the server providing that resource (or, failing that, it must match the CN RDN of the cert's Subject DN).
If https://www.example.com embeds an image to https://assets.example.com (providing both are served over HTTPS with valid certificates for each) and if there is no mixed content (no resource loaded over http://, that is no JavaScript, no image, no iframe, ...) then you should get the green/blue bar as appropriate.
If assets.example.com is a CNAME to assets.example2.com and the requests are made to https://assets.example.com, this machine must present a certificate valid for assets.example.com to the client.
In addition, if multiple certificates need to be used at the same time on this IP address (and same port), support for Server Name Indication (SNI) may be required.
Alternatively, having a single certificate that supports all these names, typically via multiple Subject Alternative Name (SANs) entries, or possibly via wildcard names (which are not recommended), may be used.
This is independent of the DNS resolution mechanism (CNAME or A record).