TLS: assigning certificates to username
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu May 5 22:27:18 CEST 2016
> On 5 May 2016, at 12:31, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
>
>>> So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.
>>
>> and if you check your Network RADIUS issued S/MIME certificate. Oh, oh what's that? A subjectAltName with your username as an NAI? Look at that :)
>
> Catfight! ;-)
>
> user at example.com.pem in the FreeRADIUS directory yields this:
>
> root at debian8:/etc/freeradius/certs# openssl x509 -in user\@example.com.pem -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin at example.com, CN=Example Certificate Authority
> Validity
> Not Before: Apr 28 20:57:32 2016 GMT
> Not After : Jun 27 20:57:32 2016 GMT
> Subject: C=FR, ST=Radius, O=Example Inc., CN=user at example.com/emailAddress=user at example.com
> Subject Public Key Info: [trimmed]
> X509v3 extensions: [trimmed]
> Signature Algorithm: sha256WithRSAEncryption [trimmed]
>
> There the Subject CN contains... a NAI? ;-)
Um, check again :P
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160505/ba7e4060/attachment-0001.sig>
More information about the Freeradius-Users
mailing list