-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set the Subject Key Identifier when generating certificates #9
Conversation
The identifier is the 160-bit SHA-1 hash of the public key (see [1]). This library is used by the BOSH cli and the BOSH cli can be used to generate certificates into a variable store - based on the manifest variable definitons. There is a known issue if you try to rotate the CA certificates outlined in [2]. The root of the problem is that when OpenSSL is configured to trust multiple CAs, and two of them have the same subject name, OpenSSL will only verify certificates against the first one (see [3] in OpenSSL code). One solution for the CA certificate rotation problem is to set the Subject Key Identifiers so OpenSSL will be able to handle multiple certificates with the same subject name. The generation method is based on certstrap's solution. [4] [1] https://tools.ietf.org/html/rfc5280#section-4.2.1.2 [2] https://docs.google.com/document/d/1vKxziTEvIgKHubukoyAGaJzGqrMBjun7JffbunlLBPg/edit [3] https://github.com/openssl/openssl/blob/49f6cb9/crypto/x509/x509_lu.c#L613-L617 [4] https://github.com/square/certstrap/blob/b6aef50/pkix/key.go#L150
Hey alext! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA. |
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/158217031 The labels on this github issue will be updated when the story is started. |
Hi @alext thanks for your contribution! We recently added both the SKI and AKI to the certificates/CAs that are generated by porting an existing implementation from elsewhere. |
Cross-referencing... added via 3613d6c from story #159504957, and bumped in bosh-cli (but not yet released in a new CLI version; next version should support this). |
The version 5.2.1 [1] supports generating certificates via --vars-store with SKI/AKI. We need this to be able to rotate CA certificates used by CF API, otherwise it is not possible to use two CA certs with the same name at the same time. More info in [2] [1] https://github.com/cloudfoundry/bosh-cli/releases/tag/v5.2.1 [2] cloudfoundry/config-server#9
We have update the bosh-cli-v2 to use bosh-cli 5.2.1 with SKI for certs, and we want to use the same in the rest of containers for consistency. The version 5.2.1 [1] supports generating certificates via --vars-store with SKI/AKI. We need this to be able to rotate CA certificates used by CF API, otherwise it is not possible to use two CA certs with the same name at the same time. More info in [2] [1] https://github.com/cloudfoundry/bosh-cli/releases/tag/v5.2.1 [2] cloudfoundry/config-server#9
The identifier is the 160-bit SHA-1 hash of the public key (see [1]).
This library is used by the BOSH cli and the BOSH cli can be used to generate
certificates into a variable store - based on the manifest variable definitons.
There is a known issue if you try to rotate the CA certificates outlined in [2].
The root of the problem is that when OpenSSL is configured to trust multiple
CAs, and two of them have the same subject name, OpenSSL will only verify
certificates against the first one (see [3] in OpenSSL code).
One solution for the CA certificate rotation problem is to set the Subject Key
Identifiers so OpenSSL will be able to handle multiple certificates with the
same subject name.
The generation method is based on certstrap's solution. [4]
[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.2
[2] https://docs.google.com/document/d/1vKxziTEvIgKHubukoyAGaJzGqrMBjun7JffbunlLBPg/edit
[3] https://github.com/openssl/openssl/blob/49f6cb9/crypto/x509/x509_lu.c#L613-L617
[4] https://github.com/square/certstrap/blob/b6aef50/pkix/key.go#L150