Re: Using special character in common name for SSL Certificate.

ANSHUL_JAISWAL · ‎2015-02-27

Hello,

We have enabled an AD user or group to access the cluster or SVM using following commands.

------------------- *****-------------------

cluster1> security login domain-tunnel create -vserver vs1

cluster1> security login domain-tunnel show Tunnel Vserver: vs1

The following command enables the "Administrator" AD user of the "DOMAIN1" domain to access the cluster through SSH:

cluster1> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -application ssh -authmethod domain

The following command enables all users of the "group1" AD group in the "DOMAIN1" domain to access the cluster through SSH:

cluster1> security login create -vserver cluster1 -user-or-group-name DOMAIN1\group1 -application ssh -authmethod domain

The following command enables the "Administrator" AD user of the "DOMAIN1" domain to access the "vs1" SVM through SSH:

cluster1> security login create -vserver vs1 -user-or-group-name DOMAIN1\Administrator -application ssh -authmethod domain

The following command enables all users of the "group1" AD group in the "DOMAIN1" domain to access the "vs2" SVM through SSH:

cluster1> security login create -vserver vs2 -user-or-group-name DOMAIN1\group1 -application ssh -authmethod domain

-------------------*****-------------------

Now we want to use this AD user for ONTAPI communication using SSL certificate style.

So for achieving this we need to create a SSL certificate with common name as security login which is DOMAIN1\username in our case.

So we generate a SSL Certificate with common name as DOMAIN1\username. But while installing this SSL certificate on admin vserver or SVM we are getting following error and certificate installation is unsuccessful.

-------------------*****-------------------

diontap821> security certificate install -type client-ca -vserver diontap821

Please enter Certificate: Press <Enter> when done

-----BEGIN CERTIFICATE-----

MIIC/jCCAmegAwIBAgIJAKf0CD/loXv6MA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD

VQQGEwJJTjELMAkGA1UECAwCTUgxDTALBgNVBAcMBFB1bmExDTALBgNVBAoMBFNZ

TUMxCzAJBgNVBAsMAklUMSQwIgYDVQQDDBt0dWxpcDBAdHVsaXAubWF0cml4YWQu

bG9jYWwxKjAoBgkqhkiG9w0BCQEWG3N1Ymhhc2hfa290a2FyQHN5bWFudGVjLmNv

bTAeFw0xNTAyMjcxMjExNDhaFw0xNjAyMjcxMjExNDhaMIGXMQswCQYDVQQGEwJJ

TjELMAkGA1UECAwCTUgxDTALBgNVBAcMBFB1bmExDTALBgNVBAoMBFNZTUMxCzAJ

BgNVBAsMAklUMSQwIgYDVQQDDBt0dWxpcDBAdHVsaXAubWF0cml4YWQubG9jYWwx

KjAoBgkqhkiG9w0BCQEWG3N1Ymhhc2hfa290a2FyQHN5bWFudGVjLmNvbTCBnzAN

BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwI9WaoULNDsNKinxo38VEAYU1bnENJti

DIIY7Ic7wNXkHVFEeuFMAAIc+T5T2WH20/LtezZzkBSAW7agEpIMD6KQ+FxGnZbj

GlRde71o4HpWLwVg3N2BFyUuXqYj2ABmThCQ+bzuSKbIdQoRjTSQ+e1BR3o6ApJB

NcXOV6bt8ycCAwEAAaNQME4wHQYDVR0OBBYEFEQEdgWO9fSc+AR4H4R6qh9zIEpk

MB8GA1UdIwQYMBaAFEQEdgWO9fSc+AR4H4R6qh9zIEpkMAwGA1UdEwQFMAMBAf8w

DQYJKoZIhvcNAQEFBQADgYEAb63a9uKpx++cvfz3C1ZSwKsSQJ9i4vsvpimD5m1a

nlgsNqGUJ68rp5TsIKW1mVOeMyW1aq9bW3EUFQ/vuN35M19/A81o9ZF34VJCp0el

yETYa+c4PtCJQuMI2bu7q1poErWsu+BKOGODJdkisdWPwboy51ZqNt8h6r0U3WT0

puI=

-----END CERTIFICATE-----

Error: command failed: The common name(CN) extracted from the certificate is invalid.

-------------------*****-------------------

Now my question is that how to install SSL certificate which has special characters in it OR

How can I enable SSL certificate ONTAPI communication when security login is AD user or group?

Flora · ‎2015-03-05

They are using “@” in their common name which is not supported. Man page lists the supported characters for reference…..

Thought of sharing since I checked their cert…

bash-4.1$ openssl x509 -text -noout -in /u/mangala/test.crt

unable to load certificate

140401619441320:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:802:

-bash-4.1$ openssl x509 -text -noout -in /u/mangala,svl/test.crt

Certificate:

Data&colon;

Version: 3 (0x2)

Serial Number: 12102307169179892730 (0xa7f4083fe5a17bfa)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=IN, ST=MH, L=Puna, O=SYMC, OU=IT, CN=tulip0@tulip.matrixad.local/emailAddress=subhash_kotkar@symantec.com

Validity

Not Before: Feb 27 12:11:48 2015 GMT

Not After : Feb 27 12:11:48 2016 GMT

Subject: C=IN, ST=MH, L=Puna, O=SYMC, OU=IT, CN=tulip0@tulip.matrixad.local/emailAddress=subhash_kotkar@symantec.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

00:c0:8f:56:6a:85:0b:34:3b:0d:2a:29:f1:a3:7f:

15:10:06:14:d5:b9:c4:34:9b:62:0c:82:18:ec:87:

3b:c0:d5:e4:1d:51:44:7a:e1:4c:00:02:1c:f9:3e:

53:d9:61:f6:d3:f2:ed:7b:36:73:90:14:80:5b:b6:

a0:12:92:0c:0f:a2:90:f8:5c:46:9d:96:e3:1a:54:

5d:7b:bd:68:e0:7a:56:2f:05:60:dc:dd:81:17:25:

2e:5e:a6:23:d8:00:66:4e:10:90:f9:bc:ee:48:a6:

c8:75:0a:11:8d:34:90:f9:ed:41:47:7a:3a:02:92:

41:35:c5:ce:57:a6:ed:f3:27

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

44:04:76:05:8E:F5:F4:9C:F8:04:78:1F:84:7A:AA:1F:73:20:4A:64

X509v3 Authority Key Identifier:

keyid:44:04:76:05:8E:F5:F4:9C:F8:04:78:1F:84:7A:AA:1F:73:20:4A:64

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha1WithRSAEncryption

6f:ad:da:f6:e2:a9:c7:ef:9c:bd:fc:f7:0b:56:52:c0:ab:12:

40:9f:62:e2:fb:2f:a6:29:83:e6:6d:5a:9e:58:2c:36:a1:94:

27:af:2b:a7:94:ec:20:a5:b5:99:53:9e:33:25:b5:6a:af:5b:

5b:71:14:15:0f:ef:b8:dd:f9:33:5f:7f:03:cd:68:f5:91:77:

e1:52:42:a7:47:a5:c8:44:d8:6b:e7:38:3e:d0:89:42:e3:08:

d9:bb:bb:ab:5a:68:12:b5:ac:bb:e0:4a:38:63:83:25:d9:22:

b1:d5:8f:c1:ba:32:e7:56:6a:36:df:21:ea:bd:14:dd:64:f4:

a6:e2

-bash-4.1$

-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name

This specifies the desired certificate name as a fully qualified

domain name (FQDN) or custom common name or the name of a person. The

supported characters, which are a subset of the ASCII character set,

are as follows:

o Letters a through z, A through Z

o Numbers 0 through 9

o Asterisk (*), period (.), underscore (_) and hyphen (-)

The common name must not start or end with a "-" or a ".". The maximum

length is 253 characters.

ANSHUL_JAISWAL · ‎2015-03-05

Ok, so if common name does not support special characters in it then How can I enable SSL certificate ONTAPI communication when security login is AD user or group?

Flora · ‎2015-03-05

I don't think you can create a domain user to use certificate. You can create a user to either use domain authentication or certificate authentication but not both.

florawcluster-1::> security login create -user-or-group-name user1 -application ontapi -authmethod ?

password

domain

nsswitch

cert

Note: you can only choose domain/cert as the authmethod.

You need to know what you really want to do first.

subhash_kotkar · ‎2015-03-05

we would like to use domain user with certificate as local account are not allowed as per company policy.

Main concern is when http communication is used for fpolicy password are not encryted and you can see all password in wireshark traces. see attached. with certificate communication using domain user we can avoid the security risk.

is there any workaround and can you also create enhancement request to support this in near future.

subhash_kotkar · ‎2017-08-21

We are getting following error when using signed certifcates with client-ca authentication. Everything works fine when using self signed certicates.

code: AUTHENTICATION_FAILED
message: "Could not connect to the filer with the user creds provided"
detailedMessage: "Error connecting to port 443 of filer mketest. Err: No permission to use \'hostsequiv\' authentication, must be root.."

Any help really appreciated.

Using special character in common name for SSL Certificate.

Get ready to power on