[ClusterLabs] pacemaker certificate is not generated with SubjectAlternativeName

Tomas Jelinek tojeline at redhat.com
Mon Mar 2 03:24:21 EST 2020

Dne 28. 02. 20 v 8:06 S Sathish S napsal(a):
> Hi Team,
> We have found that the Pacemaker certificate is not generated with 
> SubjectAlternativeName.

You are right, SubjectAlternativeName is not specified. Minor correction 
though, it's pcsd certificate, not pacemaker.

> Please find the general guidelines :
> In case/client certificates are required, verification of the client 
> identity SHOULD use the first matching subjectAltName field of the 
> client certificate to be compared with an authorization identity present 
> in a local or central AA database. /

Client certificates are not used with pcsd.

> /To mitigate the Man-in-the-Middle risk, the server identity 
> verification is RECOMMENDED to be done as well. A client can accept 
> several server certificates in certificate validation issued by the same 
> trusted CA./
> //
> /After certificate chain validation, the TLS client MUST check the 
> identity of the server with a configured reference identity (e.g., a 
> hostname). The clients MUST support checks using the subjectAltName 
> field with type dNSName. If the certificate contains multiple 
> subjectAltNamevalues then a match with any one of the fields is 
> considered acceptable. /

I don't see anything here that would say subjectAltName is required to 
be present in certificates. Does the fact subjectAltName is not defined 
causing you any specific problems?

In any case, you are free and recommended to replace the default pcsd 
certificate with your own. You can use 'pcs pcsd certkey' and 'pcs pcsd 
sync-certificates' to do so.


> Current Certificate details:
> #keytool -printcert -file /var/lib/pcsd/pcsd.crt
> Owner: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
> Issuer: CN=XXX, OU=pcsd, O=pcsd, L=Minneapolis, ST=MN, C=US
> Serial number: 1703482bc5b
> Valid from: Tue Feb 11 14:49:08 CET 2020 until: Fri Feb 08 14:49:08 CET 2030
> Certificate fingerprints:
>           MD5:  6E:C9:F8:E2:B9:F7:F6:65:53:B4:BD:B9:18:71:B9:78
>           SHA1: 9E:7C:22:DA:61:AA:86:DB:D1:74:D4:AC:47:CA:DC:06:6A:21:C2:F0
>           SHA256: 
> 1D:8D:88:55:70:FE:01:BB:DB:5C:BD:E7:FF:79:62:02:CB:64:97:A7:16:A4:29:49:F1:94:8E:2F:7B:FC:D4:B5
> Signature algorithm name: SHA256withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
> *Sample  certificate with SubjectedAltName details:*
> #3: ObjectId: Criticality=false
> SubjectAlternativeName [
>    DNSName: XXX
>    DNSName: XXX]
> Thanks and Regards,
> S Sathish S
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list