3.2.0: certificate properties - X509v3 Certificate Policies
Stefan Winter
stefan.winter at restena.lu
Fri Jun 3 08:53:27 UTC 2022
Hello,
I also noticed that while the server logs many properties of the X.509
certificate (both incoming and outgoing), it does not store the fields
X509v3 Certificate Policies, i.e.:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server
Authentication
X509v3 Subject Key Identifier:
48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36
X509v3 Authority Key Identifier:
keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4
X509v3 Subject Alternative Name:
DNS:tld1.eduroam.lu, DNS:tld2.eduroam.lu
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.27262.1.13.1.1
Policy: 1.3.6.1.4.1.27262.1.13.1.1.1.4
Policy: 1.3.6.1.4.1.25178.3.1.1
Policy: 1.3.6.1.4.1.25178.3.1.2
Policy: 1.3.6.1.4.1.27262.1.13.2.1.1.8
But:
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "244f65593e791e5064b98342"
(0) TLS-Client-Cert-Expiration := "260218163105Z"
(0) TLS-Client-Cert-Valid-Since := "210219163105Z"
(0) TLS-Client-Cert-Subject :=
"/DC=net/DC=geant/DC=eduroam/C=LU/O=Fondation Restena/CN=tld1.eduroam.lu"
(0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Client-Cert-Common-Name := "tld1.eduroam.lu"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld1.eduroam.lu"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld2.eduroam.lu"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication, TLS Web Server Authentication"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1"
... but no "TLS-Client-Cert-X509v3-Certificate-Policy"
In eduroam, we use certificate policy entries to denote "This is an
authorized eduroam server" (or ..."client", or both), so it is required
as an authz check to act on the policy OIDs present in the cert (the
ones with vendor ID 25178 above).
Greetings,
Stefan Winter
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220603/024f02c6/attachment.sig>
More information about the Freeradius-Users
mailing list