[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: Re: [PacketFence-users] Packetfence PKI add SAN
From: Thomas Michel via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date: 2021-02-01 19:06:54
Message-ID: 7b38f7b7-1c5d-1a00-9524-3fb679b619fa () michel ! ruhr
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
[Attachment #6 (multipart/mixed)]
[Attachment #8 (multipart/alternative)]
Hi Ludovic,
did you find out anything?
Thanks,
Tom.
Am 07.12.2020 um 15:32 schrieb Ludovic Zammit:
> I'm actually testing it and I will let you know what we can do about
> that.
>
> Thanks,
> Ludovic Zammit
> lzammit@inverse.ca <mailto:lzammit@inverse.ca> :: +1.514.447.4918 (x145) ::www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
>
>
>
>
>> On Dec 7, 2020, at 9:29 AM, <tom@michel.ruhr
>> <mailto:tom@michel.ruhr>> <tom@michel.ruhr <mailto:tom@michel.ruhr>>
>> wrote:
>>
>> Hi,
>> yes, Root CA is installed. But modern browsers require the servername
>> o be present in the SAN as well as in the CN. MS Edge displays a
>> NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN is'n present,
>> Firefox refuses to connect. This seems to be the normal behaviour
>> not, seeSupport for commonName matching in Certificates - Chrome
>> Platform Status (chromestatus.com)
>> <https://www.chromestatus.com/feature/4981025180483584>for example.
>> Regards,
>> Tom.
>> *Von:*Ludovic Zammit <lzammit@inverse.ca <mailto:lzammit@inverse.ca>>
>> *Gesendet:*Montag, 7. Dezember 2020 14:56
>> *An:*packetfence-users@lists.sourceforge.net
>> <mailto:packetfence-users@lists.sourceforge.net>
>> *Cc:*tom@michel.ruhr
>> *Betreff:*Re: [PacketFence-users] Packetfence PKI add SAN
>> Hello Tom,
>> Which browsers? Did you install the PacketFence PKI Root CA on the
>> testing device?
>> Because without the Root Ca installed on either device, it would not
>> be able to trust the certificate issued by the PacketFence PKI and
>> also the chain.
>> Thanks,
>> Ludovic Zammit
>> lzammit@inverse.ca <mailto:lzammit@inverse.ca> :: +1.514.447.4918
>> (x145) :: www.inverse.ca <http://www.inverse.ca/>
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
>> <http://packetfence.org/>)
>>
>>
>>
>>
>>> On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net
>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>> Hi,
>>> I am using Packetfence 10.2 and have configured the internal PKI to
>>> deploy certificates to clients which works fine. I thought I'ld use
>>> the PKI also to create certificates for internal Web Servers. This
>>> works in general but Browsers show errors as no SAM is given in the
>>> certificate. Is there a way to add SANs to the certificate?
>>> Thanks,
>>> Tom.
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
[Attachment #11 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Ludovic,</p>
<p><br>
</p>
<p>did you find out anything?</p>
<p><br>
</p>
<p>Thanks,</p>
<p>Tom.<br>
</p>
<div class="moz-cite-prefix">Am 07.12.2020 um 15:32 schrieb Ludovic
Zammit:<br>
</div>
<blockquote type="cite"
cite="mid:73C3B951-FF1D-4B0C-989E-03F8B0977EF8@inverse.ca">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
I'm actually testing it and I will let you know what we can do
about that.
<div class=""><br class="">
</div>
<div class="">Thanks,<br class="">
<div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">
<pre class="moz-signature" cols="72">
Ludovic Zammit
<a href="mailto:lzammit@inverse.ca" class="" \
moz-do-not-send="true">lzammit@inverse.ca</a> :: +1.514.447.4918 (x145) :: <a \
class="moz-txt-link-abbreviated" href="http://www.inverse.ca" \
moz-do-not-send="true">www.inverse.ca</a> Inverse inc. :: Leaders behind SOGo (<a \
class="moz-txt-link-freetext" href="http://www.sogo.nu" \
moz-do-not-send="true">http://www.sogo.nu</a>) and PacketFence (<a \
class="moz-txt-link-freetext" href="http://packetfence.org" \
moz-do-not-send="true">http://packetfence.org</a>) </pre> <div class=""><br \
class=""> </div>
</div>
<br style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">
<br style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">
</div>
<div style=""><br class="">
<blockquote type="cite" class="">
<div class="">On Dec 7, 2020, at 9:29 AM, <<a
href="mailto:tom@michel.ruhr" class=""
moz-do-not-send="true">tom@michel.ruhr</a>> <<a
href="mailto:tom@michel.ruhr" class=""
moz-do-not-send="true">tom@michel.ruhr</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="WordSection1" style="page: WordSection1;
caret-color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class="">Hi,<o:p
class=""></o:p></span></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class=""><o:p
class=""> </o:p></span></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class=""
lang="EN-US">yes, Root CA is installed. But modern
browsers require the servername o be present in the
SAN as well as in the CN. MS Edge displays a
NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN
is'n present, Firefox refuses to connect. This seems
to be the normal behaviour not, see<span
class="Apple-converted-space"> </span></span><a
href="https://www.chromestatus.com/feature/4981025180483584"
style="color: blue; text-decoration: underline;"
class="" moz-do-not-send="true"><span class=""
lang="EN-US">Support for commonName matching in
Certificates - Chrome Platform Status
(chromestatus.com)</span></a><span
class="Apple-converted-space"> </span><span class=""
lang="EN-US">for example.<o:p class=""></o:p></span></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class=""
lang="EN-US">Regards,<o:p class=""></o:p></span></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class=""
lang="EN-US">Tom.</span><span class="" lang="EN-US"><o:p
class=""></o:p></span></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
<div class="">
<div style="border-style: solid none none;
border-top-width: 1pt; border-top-color: rgb(225,
225, 225); padding: 3pt 0cm 0cm;" class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><b
class="">Von:</b><span
class="Apple-converted-space"> </span>Ludovic
Zammit <<a href="mailto:lzammit@inverse.ca"
class="" \
moz-do-not-send="true">lzammit@inverse.ca</a>><span \
class="Apple-converted-space"> </span><br class="">
<b class="">Gesendet:</b><span
class="Apple-converted-space"> </span>Montag, 7.
Dezember 2020 14:56<br class="">
<b class="">An:</b><span
class="Apple-converted-space"> </span><a
href="mailto:packetfence-users@lists.sourceforge.net"
class="" \
moz-do-not-send="true">packetfence-users@lists.sourceforge.net</a><br class="">
<b class="">Cc:</b><span
class="Apple-converted-space"> </span><a \
class="moz-txt-link-abbreviated" href="mailto:tom@michel.ruhr">tom@michel.ruhr</a><br \
class=""> <b class="">Betreff:</b><span
class="Apple-converted-space"> </span>Re:
[PacketFence-users] Packetfence PKI add SAN<o:p
class=""></o:p></div>
</div>
</div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class="">Hello Tom,<o:p class=""></o:p></div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class="">Which browsers? Did
you install the PacketFence PKI Root CA on the
testing device?<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class="">Because without the
Root Ca installed on either device, it would not be
able to trust the certificate issued by the
PacketFence PKI and also the chain.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class="">Thanks,<o:p class=""></o:p></div>
</div>
<div class="">
<div class="">
<pre style="margin: 0cm 0cm 0.0001pt; font-size: 10pt; \
font-family: "Courier New";" class=""><span style="" class=""> Ludovic \
Zammit<o:p class=""></o:p></span></pre> <pre style="margin: 0cm 0cm 0.0001pt; \
font-size: 10pt; font-family: "Courier New";" class=""><span style="" \
class=""><a href="mailto:lzammit@inverse.ca" style="color: blue; text-decoration: \
underline;" class="" moz-do-not-send="true">lzammit@inverse.ca</a> :: \
+1.514.447.4918 (x145) :: <a href="http://www.inverse.ca/" style="color: blue; \
text-decoration: underline;" class="" moz-do-not-send="true">www.inverse.ca</a><o:p \
class=""></o:p></span></pre> <pre style="margin: 0cm 0cm 0.0001pt; font-size: 10pt; \
font-family: "Courier New";" class=""><span style="" class="">Inverse inc. \
:: Leaders behind SOGo (<a href="http://www.sogo.nu/" style="color: blue; \
text-decoration: underline;" class="" moz-do-not-send="true">http://www.sogo.nu</a>) \
and PacketFence (<a href="http://packetfence.org/" style="color: blue; \
text-decoration: underline;" class="" \
moz-do-not-send="true">http://packetfence.org</a>) <o:p class=""></o:p></span></pre> \
<div class=""> <div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><span
style="font-size: 9pt; font-family: Helvetica,
sans-serif;" class=""><o:p class=""> </o:p></span></div>
</div>
</div>
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span
style="font-size: 9pt; font-family: Helvetica,
sans-serif;" class=""><br
style="font-variant-caps: normal; text-align:
start; -webkit-text-stroke-width: 0px;
word-spacing: 0px;" class="">
<br class="">
</span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><br class="">
<br class="">
<o:p class=""></o:p></div>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt;" class="" type="cite">
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">On
Dec 7, 2020, at 6:36 AM, tom--- via
PacketFence-users <<a
href="mailto:packetfence-users@lists.sourceforge.net"
style="color: blue; text-decoration:
underline;" class="" \
moz-do-not-send="true">packetfence-users@lists.sourceforge.net</a>> wrote:<o:p \
class=""></o:p></div> </div>
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><o:p
class=""> </o:p></div>
<div class="">
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">Hi,<o:p
class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""> <o:p
class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><span
class="" lang="EN-US">I am using Packetfence
10.2 and have configured the internal PKI to
deploy certificates to clients which works
fine. I thought I'ld use the PKI also to
create certificates for internal Web
Servers. This works in general but Browsers
show errors as no SAM is given in the
certificate. Is there a way to add SANs to
the certificate?<span
class="apple-converted-space"> </span></span><o:p
class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><span
class="" lang="EN-US"> </span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><span
class="" lang="EN-US">Thanks,</span><o:p
class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><span
class="" lang="EN-US">Tom.</span><o:p
class=""></o:p></div>
</div>
<div style="margin: 0cm; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><span
style="font-size: 9pt; font-family: Helvetica,
sans-serif;" \
class="">_______________________________________________<br class="">
PacketFence-users mailing list<br class="">
</span><a
href="mailto:PacketFence-users@lists.sourceforge.net"
style="color: blue; text-decoration:
underline;" class="" moz-do-not-send="true"><span
style="font-size: 9pt; font-family:
Helvetica, sans-serif;" \
class="">PacketFence-users@lists.sourceforge.net</span></a><span style="font-size: \
9pt; font-family: Helvetica, sans-serif;" class=""><br class="">
</span><a
\
href="https://lists.sourceforge.net/lists/listinfo/packetfence-users" style="color: \
blue; text-decoration:
underline;" class="" moz-do-not-send="true"><span
style="font-size: 9pt; font-family:
Helvetica, sans-serif;" \
class="">https://lists.sourceforge.net/lists/listinfo/packetfence-users</span></a></div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
</body>
</html>
["OpenPGP_0x8049779A866B418C.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (application/pgp-signature)]
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic