This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Missing subject details in end entity certificate issued from Google Certificate Authority

Posted on 12-05-2022 08:34 PM
abehera1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I have created a certificate authority infrastructure in GCP. I have 1 root , 2 issuing ca's.

I am facing an unusual error while requesting a certificate from issuing ca. If i provide CSR and request a certificate, i get the end entity certificate where i can see the "subject" details and SAN details. 

If i request a certificate directly without providing a csr,  I get the end entity certificate where i CANNOT see the "subject" details. Attached is the certificate screenshot and the requesting details. 

Why is the subject in the certificate is empty  ? Should not it contain the certificate name(testcertificate-112062022). I can see that the SAN contains testcertificate-112062022.abc.com & testcertificate-212062022)

cert.PNGcert1.PNG

1 4 859
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
Jeffrey_G
Staff
Reply posted on --/--/---- --:-- AM

Hi abehera1,

Good day, 

Can you try this one, as per GCP public documentation CA certificate settings.
"If you want to specify a subject alternative name for your CA's certificate, you must use the Google Cloud CLI."

Regards
Jeffrey

0 Likes

Posted on --/--/---- --:-- AM
abehera1
Bronze 1
Bronze 1
In response to Jeffrey_G
Reply posted on --/--/---- --:-- AM

Hello Jeffrey,

Thank you for replying back. Subject alternative name comes up fine as requested. Please see the image below.

I know that subject is informational in nature but i cannot comprehend that subject is remaining blank when we are requesting certificate from Google CA

 

 

Cert2.PNG 

Regards,

Amit

0 Likes

Posted on --/--/---- --:-- AM
Jeffrey_G
Staff
Reply posted on --/--/---- --:-- AM

Hi Amit,

Can you review this one below :

I've read over RFC 5280 again and asked around a few other PKI experts, and I don't believe it's possible to entirely omit the subject from a certificate since it's a field defined in the v1 certificate rather than an X.509v3 certificate extension (which can be omitted).

Per RFC 5280 §4.1.2.6 Subject:

   ... If subject
   naming information is present only in the subjectAltName extension
   (e.g., a key bound only to an email address or URI), then the subject
   name MUST be an empty sequence and the subjectAltName extension MUST
   be critical.

We could make this optional at the API level, but if this is impossible at the X.509 layer (and the best you can do there is have an empty sequence), then I don't believe it will make any semantic difference. It would just mean writing one less initializer in the programming language / JSON being sent.


Regards

Jeff

0 Likes

Posted on --/--/---- --:-- AM
SAOULA_Boualem
New Member
In response to Jeffrey_G
Reply posted on --/--/---- --:-- AM

you can use gcloud command to get a certificate with the field subject, see bellow;
gcloud privateca certificates create new-certificate --issuer-pool=${pool} --issuer-location=${location} --generate-key --subject="CN=" --key-output-file=mykey.key --cert-output-file=cert.crt --dns-san=${san_entry} --validity=P1000D --project ${projectc_id}

0 Likes
Top Labels in this Space
Top Solution Authors
View all