Set the Subject Key Identifier when generating certificates #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The identifier is the 160-bit SHA-1 hash of the public key (see [1]). This library is used by the BOSH cli and the BOSH cli can be used to generate certificates into a variable store - based on the manifest variable definitons. There is a known issue if you try to rotate the CA certificates outlined in [2]. The root of the problem is that when OpenSSL is configured to trust multiple CAs, and two of them have the same subject name, OpenSSL will only verify certificates against the first one (see [3] in OpenSSL code). One solution for the CA certificate rotation problem is to set the Subject Key Identifiers so OpenSSL will be able to handle multiple certificates with the same subject name. The generation method is based on certstrap's solution. [4] [1] https://tools.ietf.org/html/rfc5280#section-4.2.1.2 [2] https://docs.google.com/document/d/1vKxziTEvIgKHubukoyAGaJzGqrMBjun7JffbunlLBPg/edit [3] https://github.com/openssl/openssl/blob/49f6cb9/crypto/x509/x509_lu.c#L613-L617 [4] https://github.com/square/certstrap/blob/b6aef50/pkix/key.go#L150
|
Hey alext! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA. |
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/158217031 The labels on this github issue will be updated when the story is started. |
|
Hi @alext thanks for your contribution! We recently added both the SKI and AKI to the certificates/CAs that are generated by porting an existing implementation from elsewhere. |
|
Cross-referencing... added via 3613d6c from story #159504957, and bumped in bosh-cli (but not yet released in a new CLI version; next version should support this). |
keymon
added a commit
to alphagov/paas-docker-cloudfoundry-tools
that referenced
this pull request
Sep 19, 2018
The version 5.2.1 [1] supports generating certificates via --vars-store with SKI/AKI. We need this to be able to rotate CA certificates used by CF API, otherwise it is not possible to use two CA certs with the same name at the same time. More info in [2] [1] https://github.com/cloudfoundry/bosh-cli/releases/tag/v5.2.1 [2] cloudfoundry/config-server#9
keymon
added a commit
to alphagov/paas-docker-cloudfoundry-tools
that referenced
this pull request
Sep 20, 2018
We have update the bosh-cli-v2 to use bosh-cli 5.2.1 with SKI for certs, and we want to use the same in the rest of containers for consistency. The version 5.2.1 [1] supports generating certificates via --vars-store with SKI/AKI. We need this to be able to rotate CA certificates used by CF API, otherwise it is not possible to use two CA certs with the same name at the same time. More info in [2] [1] https://github.com/cloudfoundry/bosh-cli/releases/tag/v5.2.1 [2] cloudfoundry/config-server#9
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The identifier is the 160-bit SHA-1 hash of the public key (see [1]).
This library is used by the BOSH cli and the BOSH cli can be used to generate
certificates into a variable store - based on the manifest variable definitons.
There is a known issue if you try to rotate the CA certificates outlined in [2].
The root of the problem is that when OpenSSL is configured to trust multiple
CAs, and two of them have the same subject name, OpenSSL will only verify
certificates against the first one (see [3] in OpenSSL code).
One solution for the CA certificate rotation problem is to set the Subject Key
Identifiers so OpenSSL will be able to handle multiple certificates with the
same subject name.
The generation method is based on certstrap's solution. [4]
[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.2
[2] https://docs.google.com/document/d/1vKxziTEvIgKHubukoyAGaJzGqrMBjun7JffbunlLBPg/edit
[3] https://github.com/openssl/openssl/blob/49f6cb9/crypto/x509/x509_lu.c#L613-L617
[4] https://github.com/square/certstrap/blob/b6aef50/pkix/key.go#L150