TLS: assigning certificates to username

[Stefan Paetow]

>> So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.
> 
> and if you check your Network RADIUS issued S/MIME certificate.  Oh, oh what's that? A subjectAltName with your username as an NAI? Look at that :)

Catfight! ;-)

user at example.com.pem in the FreeRADIUS directory yields this:

root at debian8:/etc/freeradius/certs# openssl x509 -in user\@example.com.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin at example.com, CN=Example Certificate Authority
        Validity
            Not Before: Apr 28 20:57:32 2016 GMT
            Not After : Jun 27 20:57:32 2016 GMT
        Subject: C=FR, ST=Radius, O=Example Inc., CN=user at example.com/emailAddress=user at example.com
        Subject Public Key Info: [trimmed]
        X509v3 extensions: [trimmed]
    Signature Algorithm: sha256WithRSAEncryption [trimmed]

There the Subject CN contains... a NAI? ;-)

Is that standards-compliant?

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160505/19b3f014/attachment.sig>