Feature #3943

Enable extended CSR attributes to be passed to the puppet client

Added by Mathias Gug over 1 year ago. Updated 8 months ago.

Status:Duplicate Start date:06/03/2010
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:SSL
Target version:-
Affected Puppet version:0.25.4 Branch:
Keywords:
Votes: 0

Description

When the client generates a CSR for itself it would be useful to be able to pass to the client extended attributes to be added to the CSR.

For example the component responsible for starting new instances in EC2 could pass a signature to include in the instance CSR in order to legitimate the request to the puppetmaster. An example infrastructure using this feature is outlined in https://wiki.ubuntu.com/ServerMaverickPuppetBootstrap.

Related issues

duplicated by Puppet - Feature #7243: Additional data in Puppet CSRs (certdnsnames, and custom ... Tests Insufficient 04/26/2011

History

#1
Updated by James Turnbull over 1 year ago

  • Category set to SSL
  • Status changed from Unreviewed to Accepted
  • Target version set to 2.7.x

#2
Updated by James Turnbull over 1 year ago

  • Target version changed from 2.7.x to 2.6.0

Just talked to Mathias and it’d be really helpful in Ubuntu land if this went into an earlier release.

#3
Updated by James Turnbull over 1 year ago

Mathias – so I’ve got it a bit further and now erroring on:

err: Could not request certificate: unknown OID `1.3.6.1.4.1.34380.2.1'

Puppet doesn’t use openssl.cnf to configure anything – do you remember how you got it to work?

#4
Updated by Mathias Gug over 1 year ago

I haven’t been able to make puppet include the csr – I haven’t looked at the puppet code.

My proof of concept was based around the openssl command line. With the following configuration file:

[ new_oids ]
Signature = 1.3.6.1.4.1.34380.2.0
SignatureVersion = 1.3.6.1.4.1.34380.2.1
ExpirationDate = 1.3.6.1.4.1.34380.2.2
ConductorCertificate = 1.3.6.1.4.1.34380.2.3

[ req ]
oid_section = new_oids
default_bits = 1024
default_keyfile = privkey.pem
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
attributes = req_attributes

[ req_distinguished_name]
commonName = foo.example.org

[ req_attributes ]
# Signature (base64 encoded)
1.3.6.1.4.1.34380.2.0 = aaabbbbbsssddddd
# Signature version (integer)
1.3.6.1.4.1.34380.2.1 = 1
# expiration date (rfc3339)
1.3.6.1.4.1.34380.2.2 = 2010-05-07T23:31:03+00:00
# Cloud conductor certificate (PEM format)
1.3.6.1.4.1.34380.2.3 = -----BEGIN CERTIFICATE [...] -----

I was able to generate a csr using the following command line:

$ openssl req -new -keyout key.pem -out req.pem -config openssl.cnf

The generated csr looked like:

$ openssl req -text -noout < req.pem 
Certificate Request:
  Data:
      Version: 0 (0x0)
      Subject: CN=foo.example.org
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
          RSA Public Key: (1024 bit)
              Modulus (1024 bit):
                  00:c7:2f:0d:e1:7a:91:ea:d5:c8:6c:fe:98:fd:62:
                  55:e6:01:26:26:55:0e:d7:b4:fd:c8:73:0f:e0:8b:
                  d6:30:91:9b:d8:d5:5f:e8:6a:00:fb:35:31:de:8f:
                  f8:7d:5c:d7:84:c5:f2:d6:1c:11:68:72:dc:cc:20:
                  6b:19:0e:56:70:52:06:48:a0:75:30:05:67:18:0d:
                  be:2b:2e:eb:3c:29:be:6e:31:77:4d:a4:fe:51:8e:
                  d8:62:b5:b8:84:16:e1:c3:0b:9d:bd:65:a4:23:ed:
                  45:06:94:de:f0:45:11:c5:8f:55:00:8a:cc:3a:a8:
                  d7:11:60:01:db:cc:66:70:17
              Exponent: 65537 (0x10001)
      Attributes:
          1.3.6.1.4.1.34380.2.1    :1
          1.3.6.1.4.1.34380.2.0    :aaabbbbbsssddddd
          1.3.6.1.4.1.34380.2.2    :2010-05-07T23:31:03+00:00
          1.3.6.1.4.1.34380.2.3    :-----BEGIN CERTIFICATE [...] -----
  Signature Algorithm: sha1WithRSAEncryption
      b1:de:11:e6:7d:80:0c:02:07:ac:4d:5a:8b:ef:7d:00:12:84:
      0c:08:3a:41:6a:ac:af:a3:15:3e:5e:fd:d4:b4:33:86:96:ee:
      df:4d:b8:00:c4:e5:c5:13:4d:c4:76:68:b5:84:3b:3a:21:17:
      f4:76:6e:81:01:ad:7d:2f:69:04:53:de:8b:f0:c5:12:91:86:
      33:43:b8:8b:46:d6:f1:ef:3d:2c:4c:3f:b3:a3:48:35:98:6d:
      0e:cc:0a:9e:2c:93:0b:a5:25:a1:49:92:8e:1f:82:df:57:65:
      b7:9c:d4:0a:57:bc:98:24:c8:c0:a4:d7:fb:fd:f0:97:29:e4:
      3d:49

#5
Updated by James Turnbull over 1 year ago

  • Target version changed from 2.6.0 to 2.7.x

#6
Updated by Mathias Gug over 1 year ago

As discussed with James at DevOps day it seems that the openssl ruby library doesn’t support custom oids. One solution would be to refactor the code to call openssl directly with a custom generated configuration file.

#7
Updated by Jesse Wolfe over 1 year ago

  • Target version changed from 2.7.x to 2.6.0

#8
Updated by Markus Roberts over 1 year ago

  • Target version changed from 2.6.0 to 52

#9
Updated by James Turnbull 11 months ago

  • Target version deleted (52)

#10
Updated by James Turnbull 8 months ago

  • Status changed from Accepted to Duplicate

Closed in favour of #7243.

Also available in: Atom PDF