[Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?

Mon Oct 24 07:24:24 UTC 2016

On ma, 24 loka 2016, Fraser Tweedale wrote:
>On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote:
>> Hello,
>>
>>
>>
>> I would like to better understand why IPA requires SAN (subject alternative
>> name) entries to have a backing host record. In order to sign a certificate
>> with a SAN that corresponded to a user friendly CNAME I had to add a host
>> record (ipa host) for that DNS name (use force option to create without an
>> A/AAAA record) as well as a service principle.
>>
>>
>>
>> I'm sure I'm not alone when I say I don't like doing that because it means
>> that a "Host" in FreeIPA is not a computer, it's a host record that may or
>> may not be the only record that corresponds to a computer. It gets
>> confusing.
>>
>>
>>
>> I assume things are this way to ensure integrity at some level. But I can't
>> picture it. What is the potential danger of simply bypassing the
>> host/principal checks and just signing the certificate with whatever SAN
>> field we like?
>>
>In this specific case, it is because certmonger requests service
>certificates with host credentials.  Therefore it is not just human
>administrators issuing certs.  And we MUST validate SAN against
>information in the directory (the only "source of truth" available
>to the CA / IPA cert-request command).  Otherwise you could put e.g.
>`google.com' into SAN, and we would issue the cert, and that would
>be Very Bad.
>
>The problem is slightly exacerbated in that 99% of the time you
>really want to issue service certs, but FreeIPA does not permit the
>creation of a service entry without a corresponding host entry.  So
>you end up with spurious host entries that do not correspond to
>actual hosts.  I have previously asked about relaxing this
>restriction.  The idea was rejected (for reasons I don't remember).
The host entries are not "spurious" as you call them. They are objects
that participate in the access control. Services always belong to hosts
and are managed by them. Whether there are DNS entries corresponding to
the controlling objects is irrelevant, their primary use is to be used
as something that could be defined as owning the service. The fact that
host object is also a service in itself (for host/<hostname>) is an
obvious optimization for Kerberos infrastructure

As you know, on x.509 certificate level there are no differences between
services running on the same host, so technically all Kerberos services
could share the same certificate associated with the host that controls
them. You could just keep the certificate in the host entry and be done
with it. This, of course, has own issues -- mostly related to rotation
of the certificates and access to the private keys from multiple
applications -- but this has nothing to do with the way how IPA presents
hosts in the database.

-- 
/ Alexander Bokovoy