Custom Certificate Signing Request and incomplete Subject DN when using Internet Explorer with PKCS #10 requests
Environment
- Red Hat Enterprise Linux 4 and 5
-
Red Hat Certificate System 7.3 and 8.0 up to pki-ca-8.0.6-1.el5pki.noarch
-
Firefox 3.x
- Windows XP and IE 6.x
Issue
In the Red Hat Certificate system (RHCS), when customizing Registration Authority (RA) or Certificate Authority (CA) html enrollment forms for Internet Explorer (IE) with PKCS #10 requests, the enrollment may result in missing informaton in the Certificate Signing Requests (CSR)'s Subject Distinguished Name (DN), as well as in the issued and signed digital certificate.
Resolution
Documentation has been updated in September 2010 for the Administration Guides of the Certificate System versions 7.3, 8.0, and will be in the coming 8.1.
When using a custom enrollment form and IE, the functions called validate() and Send_OnClick in the user.vm template file may need some adjustments:
cp -p /var/lib/rhpki-instance-id/docroot/ee/user/user.vm /var/lib/rhpki-instance-id/docroot/ee/user/user.vm.orig
vi /var/lib/rhpki-instance-id/docroot/ee/user/user.vm
Modify the validate() function to add an organization attribute to the subject DN, example with a text field named "org" in the Registration Authority user enrollment form, like:
var myorg = document.enrollment.org.value;
if (myorg == '') {
alert("O is empty");
return false;
}
...
var dn = "uid="+x+",e="+e+",cn="+cn+",o="+myorg+";
Now, locate the Microsoft Visual Basic blob for the function called "Sub Send_OnClick", and formulate your customized subject DN in the szName statement, for example:
Change from:
' Contruct the X500 distinguished name
szName = "0.9.2342.19200300.100.1.1=" & TheForm.uid.Value & ",E=" & TheForm.email.Value & ",CN=" & TheForm.cn.Value
To append the string:
& ",O=" & TheForm.org.Value
Like for example:
' Contruct the X500 distinguished name
szName = "0.9.2342.19200300.100.1.1=" & TheForm.uid.Value & ",E=" & TheForm.email.Value & ",CN=" & TheForm.cn.Value & ",O=" & TheForm.org.Value
Then, restart the Registration Authority instance, example:
/etc/init.d/rhpki-ra1 restart
Then try to enroll using a Windows XP client, and Browse to the EE Registration Authority page, example:
https://hostname:12889/ee/user/user.cgi
And select in the html form:
Microsoft Enhanced Cryptographic Provider 1.0
Now, if the the user enrollment form is filled again and submitted, the subject DN should be customized like expected in the resulting CSR and signed digital certificate.
Root Cause
As per the End User Services documentation at:
http://www.redhat.com/docs/manuals/cert-system/8.0/ee/Using_End_User_Services.pdf
We support the following clients:
1.4. Supported Web Browsers
The services pages for the subsystems require a web browser that supports SSL. Two browsers are
supported:
• Mozilla Firefox 1.0 and higher
• Microsoft Internet Explorer 6 and higher
Firefox generates a CSR in the CRMF format, while IE generates CSR in the PKCS #10 format.
The problem is one of the templates is missing a few statements for Visual Basic and PKCS #10 to allow for easier subject DN customization.
Diagnostic Steps
Follow the Red Hat Certificate System 7.3 Administration Guide, section 5.3.2 at:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Working_With_the_Registration_Authority-Customizing_the_Subject_DN_in_the_CSR.html
To customize the subject DN in the CSR for the Registration Authority subsystem
For example, add three fields; Organizational unit, Organization and Country to the enrollment form.
Enrollment requests created with a Firefox browser will results in certificates with the custom DN in the subject field.
But the certificate requests generated with Internet Explorer (IE6 and IE8) may provide with issued certificates that do not contain the above added three fields (Organizational unit, Organization and Country).
RA debug log example showing the custom fields for the CSR:
==> /var/lib/rhpki-ra1/logs/ra-debug.log <==
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - URL '/ee/user/submit.cgi'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param uid='xp6'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param cn='xp6'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param site_id='xp6'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param email='msauton@redhat.com'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param orgu='xp6'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param org='xp6'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param cnt='xp'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param cryptprovider='1'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param csr_type='pkcs10'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param Send='Submit'
Tue Mar 23 10:51:51 PDT 2010 - Tue Mar 23 10:51:51 PDT 2010 - Param csr='MIIDTDCCArUCAQAwbzETMBEGCgmSJomT8ixkAQETA3hwNjEhMB8GCSqGSIb3DQEJ
....
Tue Mar 23 10:51:51 PDT 2010 - request 39 created
A dumpasn1 off the CSR can show the presence of the custom field, output example:
example:
97 12: SET {
99 10: SEQUENCE {
101 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
: (X.520 id-at (2 5 4))
106 3: PrintableString 'xp6'
: }
: }
Comments
-
See bugzilla number 576302 with summary "rhcs 73 80 doc admin guide - update"
-
See Red Hat Certificate System 7.3 administration guide, chapter "5.3.2. Customizing the Subject DN in the CSR" at
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Working_With_the_Registration_Authority-Customizing_the_Subject_DN_in_the_CSR.html -
See Red Hat Certificate System 8.0 administration guide, chapter "2.7.3. Customizing the Subject DN in a Certificate Request Issued by an RA" at
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Managing_Subject_Names_and_Subject_Alternative_Names.html
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments