[ClusterLabs] pacemaker certificate is not generated with SubjectAlternativeName

S Sathish S s.s.sathish at ericsson.com
Fri Feb 28 02:06:22 EST 2020


Hi Team,

We have found that the Pacemaker certificate is not generated with SubjectAlternativeName.

Please find the general guidelines :

In case client certificates are required, verification of the client identity SHOULD use the first matching subjectAltName field of the client certificate to be compared with an authorization identity present in a local or central AA database.
To mitigate the Man-in-the-Middle risk, the server identity verification is RECOMMENDED to be done as well. A client can accept several server certificates in certificate validation issued by the same trusted CA.

After certificate chain validation, the TLS client MUST check the identity of the server with a configured reference identity (e.g., a hostname). The clients MUST support checks using the subjectAltName field with type dNSName. If the certificate contains multiple subjectAltNamevalues then a match with any one of the fields is considered acceptable.

Current Certificate details:
#keytool -printcert -file /var/lib/pcsd/pcsd.crt
Owner: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
Issuer: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
Serial number: 1703482bc5b
Valid from: Tue Feb 11 14:49:08 CET 2020 until: Fri Feb 08 14:49:08 CET 2030
Certificate fingerprints:
         MD5:  6E:C9:F8:E2:B9:F7:F6:65:53:B4:BD:B9:18:71:B9:78
         SHA1: 9E:7C:22:DA:61:AA:86:DB:D1:74:D4:AC:47:CA:DC:06:6A:21:C2:F0
         SHA256: 1D:8D:88:55:70:FE:01:BB:DB:5C:BD:E7:FF:79:62:02:CB:64:97:A7:16:A4:29:49:F1:94:8E:2F:7B:FC:D4:B5
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Sample  certificate with SubjectedAltName details:
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: XXX
  DNSName: XXX]


Thanks and Regards,
S Sathish S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20200228/099be571/attachment.html>


More information about the Users mailing list