eab_profile_subject_check #202
Comments
|
Hi Dirk, can you please enable debug mode ( If you prefer to share via Email please send it [email protected] Thx G. |
|
Hi G. debug was on, log to syslog... Feb 6 09:37:10 HOTacme bash[23702]: EABhandler.eab_kid_get() ended with: linux Is this enough? BR Dirk |
|
Thx .. this is helpful. Another question: what is the subject of the CSR? Can you send me the output of /G. |
|
It is complete empty without alternative name. Certificate Request: |
|
Thank you once again. The reason for the failed check is that your EAB profile mandates the presence of certain subject attributes (such as O, OU, L, C), which are missing in your CSR. Perhaps the description of the subject-profiling feature needs improvement. The main aim of this feature is not to set subject attributes (as modifying a CSR would break the signature, which is impossible for transit devices like acme2certifier) but rather to check the attributes from a submitted CSR against pre-defined values from your profile file. It seems you would like to enforce certain attributes to be set in the certificate. If this is the case, I suggest doing this via a template on the CA server itself. Or did I misunderstand your intention? Best regards, G. |
|
I assumed that I would be able to set the values automatically. I misunderstood that.
If I can do this in acme2certifier, I don't have to do it in the MS CA, because then I would need countless templates. The changes in acme2certifier would be much easier to realise. Is this possible to set these CSR values?
Best regards
Dirk
Von: grindsa ***@***.***>
Gesendet: Donnerstag, 6. Februar 2025 20:14
An: grindsa/acme2certifier ***@***.***>
Cc: Dirk-Michael Brosig ***@***.***>; Author ***@***.***>
Betreff: Re: [grindsa/acme2certifier] eab_profile_subject_check (Issue #202)
Thank you once again. The reason for the failed check is that your EAB profile mandates the presence of certain subject attributes (such as O, OU, L, C), which are missing in your CSR.
Perhaps the description of the subject-profiling <https://github.com/grindsa/acme2certifier/blob/master/docs/eab_profiling.md#subject-profiling> feature needs improvement. The main aim of this feature is not to set subject attributes (as modifying a CSR would break the signature, which is impossible for transit devices like acme2certifier) but rather to check the attributes from a submitted CSR against pre-defined values from your profile file.
It seems you would like to enforce certain attributes to be set in the certificate. If this is the case, I suggest doing this via a template on the CA server itself.
Or did I misunderstand your intention?
Best regards, G.
—
Reply to this email directly, view it on GitHub <#202 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABR5SYQXQO3V5FWZOZKL35T2OOX7VAVCNFSM6AAAAABWS6DYFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBQG43TCOBVGA> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABR5SYQRDOWYD7S3PXEBMD32OOX7VA5CNFSM6AAAAABWS6DYFCWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTU5M35QU.gif> Message ID: ***@***.*** ***@***.***> >
|
Hi,
in V0.36 with EAB against MS-AD config like example
"linux":
{
"hmac": "xxxx",
"cahandler":
{
"template_name": "WebserverACME",
"subject":
{
"commonName": "*",
"organizationName": "blabla",
"organizationalUnitName": "blabla",
"countryName": "DE",
"stateOrProvinceName": "Mecklenburg-Vorpommern",
"localityName": "blabla"
}
}
}
}
bring error
Helper.eab_profile_subject_check() failed for: ['commonName', 'organizationName', 'organizationalUnitName', 'countryName', 'stateOrProvinceName', 'localityName']
../tools/eab_chk.py -c acme_srv.cfg show everything is fine. The template_name was taken from config file, subject data not.
What's wrong?
Best regards
Dirk
The text was updated successfully, but these errors were encountered: