Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-3114

CA Authority Key Identifier with issuer instead of keyid

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Done
    • None
    • SERVER 6.18.0, SERVER 7.6.0
    • None

    • Debian 10

    • Froyo
    • 1
    • Froyo - 1/19/2022
    • Customer Feedback
    • Bug Fix
    • Hide
      * The self-signed CA signing cert generated by starting puppetserver will now use a keyid for its authority key identifier, to match the CA chain generated by `puppetserver ca setup`.
      * The CA signing cert no longer has subject alternative names added to it, since they are not meaningful.
      Show
      * The self-signed CA signing cert generated by starting puppetserver will now use a keyid for its authority key identifier, to match the CA chain generated by `puppetserver ca setup`. * The CA signing cert no longer has subject alternative names added to it, since they are not meaningful.
    • Needs Assessment

    Description

      Hello,

      Following PA-3979, I found a weird puppet behavior during CA certificate generation.
      When generating the CA crt with "puppetserver start", "Authority Key Identifier" is set in the CA crt with the issuer :

      			X509v3 Authority Key Identifier: 
      				DirName:/CN=Puppet CA: puppet
      		 
      				serial:01

      If I regenerate the CA crt with pupperserver ca setup, this field is filled with a keyid :

                  X509v3 Authority Key Identifier: 
                      keyid:04:27:BC:E8:9A:D9:15:9F:3F:1A:0F:F0:0D:71:99:65:60:CD:AE:75

      The issue is that LibreSSL get in trouble with the first one and cannot validate any certificate with it.
      Why the behavior is different between the two ways of generation ?

      Thanks in advance

      To make Puppet Server generate certs with a keyid instead of a DirName:

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SERVER-2338 PuppetCA should issue certs with Subject Alternative Name containing the CN for compliance with RFC 2818

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Activity

            People

              maggie Maggie Dreyer
              qhess34 Quentin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support