-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to get a certificate from EST server during x509 Provisioning when CSR subject contains additional fields (not only CN) #455
Comments
Yes, it's a known bug. We've received the same bug report at Azure/iotedge#6579 previously.
It's not logged anywhere by certd if that's what you're asking. You could compile your own debug build and step through with a debugger. Or you could spin up a tiny netcat server and set it as the EST endpoint. |
Thank you @arsing. You answered my questions. |
@bemol38 we've triaged the bug and are working on a fix. Might be slotted for a slightly later release as we line up some other fixes and security patches. How urgent is this for you? |
Hi @jlian |
Would you be able to have DigiCert configure the EST endpoint to not require organizational_unit (OU) field in the meantime? |
Hi @jlian, |
Hey folks, the change is merged (thanks @onalante-msft). Ideally, we could have you try it before we take it for the release:
@bemol38 do you think you could give it a try this week? |
Hi @jlian Thanks a lot for your valued assistance ! |
Thanks for fixing this! |
Hi everybody,
What I want to achieve is to provision my device to my DPS, using X509 certificate attestation, using as identity_cert a certificate issued by a Digicert EST end-point, which requires a CSR containing both a common_name (CN) and an organizational_unit (OU) fields.
To authenticate to the EST server, a pre-existing "birth" certificate (according to our own terminology) is used, the key pair of which is stored in TPM.
Therefore my config.toml template looks like below, and the env variables are substituted with the envsubst command, before aziotctl config is applied.
By doing so, we get the following error (see end of the log):
As you can see, the EST server rejected the request because of a missing value for subject.organization_unit.
My first question would be: is there a way to look into what the CSR really contains ?
To check if the problem could come from the EST end-point, I first created a CSR manually:
which gave:
and then sent the CSR to the EST end-point:
one can see that the certificate could be issued:
What I also tried is to use the Certificate Service to send the CSR, after having created the needed
config files in certd and keyd.
With that files configured, I could submit the CSR with this command:
and got a valid certificate too. From this success I concluded that the problem is not sending the CSR but creating the CSR.
So my actual conclusion is: there is a problem with the CSR that the Identity Service is generating, and sending to the EST end-point
I would really appreciate any help to better diagnose the problem.
The text was updated successfully, but these errors were encountered: