Improve Subject Name handling for Conjur CA certificates #712
Conversation
ghost
added
micahlee
force-pushed
the
ca_signing_service
branch
from
6b96146
to
02fcfef
Compare
|
This code looks solid, but I think we should hold on merging until we run the host name format by a customer or two. I worry it'll be too restrictive. |
micahlee
force-pushed
the
ca_csr_subject
branch
from
5ac9a9c
to
92a46a2
Compare
| csr_cert | ||
| end | ||
|
|
||
| protected | ||
|
|
||
| def subject(role) | ||
| common_name = [ | ||
| 'conjur', |
There was a problem hiding this comment.
What do you think about pulling this out? I'm not sure I'd love to need to put conjur into my host naming convention, particularly if all hosts were managed by Conjur. Without it, organizations are free to set account, service_id, and host id as they see fit.
There was a problem hiding this comment.
I'm ok with that. I think we had settled on this because it roughly mirrored the SPIFFE ID, but there is no other reason I am aware of at this point. I will change it.
micahlee
force-pushed
the
ca_csr_subject
branch
from
92a46a2
to
493fd67
Compare
micahlee
changed the title
micahlee
force-pushed
the
ca_csr_subject
branch
from
70f52fe
to
70456e7
Compare
|
Code Climate has analyzed commit 70456e7 and detected 5 issues on this pull request. Here's the issue category breakdown:
View more on Code Climate. |
Closes #705
Closes #707
What does this pull request do?
This PR updates the Conjur CA certificates in 2 ways:
The Common Name on the certificate is now given directly from the authenticated role (must be host), and not from the CSR. The common name has the format
<account>:<ca-service-id>:host:<host-id>. A DNS alternative name is added for the leaf (right-most) portion of the slash separate host identifier. This is to support the existing demo.The certificate now includes a URI subject alternative name containing the SPIFFE Id for the role. This currently takes the form of
spiffe://conjur/<account>/<ca-service-id>/host/<host-id>.Where should the reviewer start?
The core changes are in
app/domain/ca/certificate_authority.rbHow should this be manually tested?
The API cucumber tests include verification that these IDs are present and correct.
If you want to, you can use the demo (https://github.com/conjurdemos/misc-util/tree/master/demos/certificate-authority/mutual-tls) to generate a certificate. You can then use OpenSSL to view the contents to verify the subject names, e.g.:
Link to build in Jenkins (if appropriate)
https://jenkins.conjur.net/job/cyberark--conjur/job/ca_csr_subject/
Questions: