Certmonger certificate does not include EKUs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Dan Trainor |
Bug Description
The SSL certificate requested by tripleo and provided by certmonger does not include two additional EKUs, or Extended Key Usage attributes, required by Firefox's strict reliance[0] on RFC5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile)[1] when using a self-signed certificate. Other browsers such as Chrome, and most SSL clients, do not have such strict reliance. Without these added EKUs, Firefox will always generate a 'SEC_ERROR_
When the certificate is generated, a default request will generate a certificate with no additional EKUs. The result is a certificate being created without explicitly specifying two additional EKUs that are required by Firefox: id-kp-serverAuth and id-kp-clientAuth.
At the moment there is no supported option to add EKUs at certificate request time in the earsdown/
Add the required EKUs by modifying instack-
---
[0] https:/
[1] https:/
[2] https:/
Changed in tripleo: | |
assignee: | nobody → Dan Trainor (dtrainor) |
description: | updated |
Changed in tripleo: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → pike-1 |
tags: | added: ocata-backport-potential |
Changed in tripleo: | |
milestone: | pike-1 → ocata-rc2 |
Changed in tripleo: | |
milestone: | ocata-rc2 → pike-1 |
Fix proposed to branch: master /review. openstack. org/439746
Review: https:/