On ma, 19 loka 2020, Christian Heimes via FreeIPA-users wrote:
On 19/10/2020 15.17, Krzysztof O via FreeIPA-users wrote:
>> Krzysztof O via FreeIPA-users wrote:
>>
>> RFC 3280 defines the upper-bound of common name at 64 and is mandatory.
>>
>> What problem is this causing?
>>
>> rob
>
> When issuing CSR from the overcloud nodes, the CN field value exceeds the 64
characters limit and the request fails. We expect to be able to issue CSRs for FQDNs
longer than 64 characters.
>
> The domain cannot be shortened, at least the customer subdomain so we need a solution
which will allow us to deploy a RHOSP cluster with TLS everywhere enabled, when the FQDN
used in CN is longer than 64 characters.
This is not possible. RFC 3280 limits the upper bound for common name to
64 octets. From
https://tools.ietf.org/html/rfc3280#appendix-A.1 page 103:
ub-common-name INTEGER ::= 64
A certificate with a longer common name would be in violation of the
standard and therefore an invalid certificate.
In general hostnames with more than 64 octets are badly supported by
Linux kernel. For example gethostname() and uname()'s utsname->nodename
are limited to 64 characters. You are going to run into more issues.
Also, if this is about TLS certificates, contemporary clients should be
looking into dNSName SAN values, not CN. So the solution would be to
explicitly populate those names and make sure IPA grants issuance rights
to those.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland