CA: Use openssl extensions instead of manually creating #27
Conversation
Signed-off-by: Nathaniel Clark <[email protected]>
Signed-off-by: Nathaniel Clark <[email protected]>
|
looks good (glad they finally got around to supporting these in rust-openssl), but I'd encourage you to test the results with zlint and other cert checkers (like the apple one on macs) to ensure they're compatible. I ran into some issues with this. |
|
I think coyote still depends on a fork of rust-openssl too, you can probably eliminate that in Cargo.toml if this is supported by the core library now. |
|
also, you're not going to want client auth for all certs. just the ones that specify client authentication. just making sure you're aware of this as it's a part of the ACME specification. I'll be quiet now. |
Recent
It looks like
All of my letsencrypt certs are good for both Server and Client Auth, and there's nothing in the CSR that would specify one way or the other. Do you have a citation? I can't find anything in RFC8555 one way or the other. |
|
I guess there's no issue with setting extkeyauth to use clientauth. I was misremembering I suppose.
Still, check the certs with zlint and apple's cert validator. You're going to find that safari hates the certs this thing generates.
Have a nice day
------- Original Message -------
…On Wednesday, April 26th, 2023 at 7:29 AM, Nathaniel Clark ***@***.***> wrote:
> looks good (glad they finally got around to supporting these in rust-openssl), but I'd encourage you to test the results with zlint and other cert checkers (like the apple one on macs) to ensure they're compatible. I ran into some issues with this.
Recent openssl (0.10.51) actually deprecates [X509Extension::new()](https://docs.rs/openssl/latest/openssl/x509/struct.X509Extension.html#method.new) in favor of openssl::x509::extension::*. (This change post-dates this PR)
> I think coyote still depends on a fork of rust-openssl too, you can probably eliminate that in Cargo.toml if this is supported by the core library now.
It looks like Cargo.toml uses the stock openssl crate.
> also, you're not going to want client auth for all certs. just the ones that specify client authentication. just making sure you're aware of this as it's a part of the ACME specification.
All of my letsencrypt certs are good for both Server and Client Auth, and there's nothing in the CSR that would specify one way or the other. Do you have a citation? I can't find anything in [RFC8555](https://www.rfc-editor.org/rfc/rfc8555) one way or the other.
—
Reply to this email directly, [view it on GitHub](#27 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAAET22RPK7I7MNZVL4S2FLXDEWNLANCNFSM6AAAAAAXJ6GX6Q).
You are receiving this because you commented.Message ID: ***@***.***>
|
|
I ran a generated cert through |
|
Yes, zlint is actually a part of the test suite, which is why it gets so close. I strongly suggest if you haven't been running the suite to learn how to get it working and try using it.
My point here is to actually take an issued cert, load it into a mac's certificate validator, or try to access a website fronted by an issued cert in safari.
Apple's validator is probably as strict as it gets, and we ran into significant barriers getting safari to contact (without a certificate warning) websites fronted by the certs, even with all the appropriate DNS precautions mitigated.
Anyway, I have to run. Good luck!
…------- Original Message -------
On Wednesday, April 26th, 2023 at 8:27 AM, Nathaniel Clark ***@***.***> wrote:
I ran a generated cert through zlint and the only complaints were lack of "Authority Information Access" and "Certificate Policies"
—
Reply to this email directly, [view it on GitHub](#27 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAAET26JVEPOTLASY72RUVLXDE5HFANCNFSM6AAAAAAXJ6GX6Q).
You are receiving this because you commented.Message ID: ***@***.***>
|
Use
openssl::X509::extension::*where available instead of manually buildingX509Extension.Add ClientAuth to ExtendedKeyUsage