Help whith CN

[progkoder]

Hello. I am using your acme2certifier as a proxy with mswcce_ca_handler.py for automatic receipt and renewal of certificates. I use certbot as a client. But there is no Common Name (Subject Name) in the certificate. Is it possible to make an extension on the acme2certifier server side that will add a Common Name (Subject Name). I'm really waiting for an answer. Thanks.

[grindsa]

Hi, there is unfortunately no easy way that a2c would add a common name to a CSR. Main reason that we cannot modify the CSR as it is signed by the private key of the client.

However, there a multiple options to workaround this issue

• generate the CSR manually and use the --csr option in certbot
• use a different client (acme-sh or lego)
• allow empty CNs on your CA server

What problem are you trying to solve?

/G.

[progkoder]

Thanks for the quick response. I'm trying to set up your a2c as a proxy for automatically receiving and updating certificates on network hosts. The choice fell on certbot. It is available for Windows and *nix OS. Using the - --csr in certbot option prevents you from automating the certificate renewal process. There is a patch for certbot for Linux OS. He edit the acme library. But there are hosts with Windows OS. It's just that you have this function CN for xca_ca_handler.py and openssl_ca_handler.py there. Is an addition of CN to CSR in the code. So I was wondering if it was possible to add the option to add CN and for mswcce_ca_handler.py . Tell me is there such a possibility or not? Thanks.

[grindsa]

Hi,

I am sorry but enforcing a CN is only possible for handlers where a2c acts as ca-server. Main reason is that you cannot modify the CSR without breaking the signature. So you need to do this on the CA itself (not sure if this is possible on a MS-CA).

Maybe lego could be an alternative acme-client. It is available for both Windows and Linux.

Sorry
G.

[progkoder]

Thanks.

[progkoder]

Hi. I want to clarify once again. If apply such a scheme. Certbot(ferst host) - Acme2Certifier (second host as acme-proxy) - MS-CA (therd host as CA) and apply patch the file crypto_util.py libraries ACME on the client side where Certbot (ferst host). And make request certificate then me get in the certificate when using your module mswcce_ca_handler.py in acme_srv.cfg when requested from MS-CA( host as CA). And i get the CN parameter appears. Is it possible to apply this patch on the Acme2Certifier server side so that the Common Name parameter appears in the certificate when requested? Simple application of the patch on the server Acme2Certifier side file crypto_util.py the ACME library does not give a result. Is it possible to change your module mswcce_ca_handler.py for example, by adding a cn_enforce type parameter to it so that it gives a Common Name. I sent
add-cn-to-csr-v2.2.0.patch_ for Certbot 2.2.0.zip
you the Acme library patch file. Thanks.

[grindsa]

Hi,

Certbot including the patch will.

1. create a CSR out of the public key
2. add the first SAN as common name (this is what the patch is about)
3. Sign the CSR with the corresponding private key

The signature is used on CA to verify that the CSR has not been modified in transit.

Although a2c can perform above mentions steps 1 and 2 it can never perform step 3 as it is missing the private key which is located on the client running the certbot application. CSR modifications can only be done on either client-side (due to mandatory re-signing) or on the CA itself who has the authority to change a CSR and enforce certain attributes.

I am really sorry but i do not see any chance to do what you have in mind. You should either patch certbot or use a different acme-client like lego...

G.

[progkoder]

Hi. Thank you so much for your reply.

[progkoder]

Hi. I probably don't have much choice, and I really need to pay attention to the Lego acme client. But I don't see its implementation for Windows. Please provide a link to its implementation for Windows, if it is not difficult for you. Thank you.

[grindsa]

Hi, thats easy.. depending on the plattform here are the links to the latest version from the repo:

https://github.com/go-acme/lego/releases/download/v4.16.1/lego_v4.16.1_windows_amd64.zip
https://github.com/go-acme/lego/releases/download/v4.16.1/lego_v4.16.1_windows_386.zip
https://github.com/go-acme/lego/releases/download/v4.16.1/lego_v4.16.1_windows_arm64.zip

[progkoder]

Thank you so much for your reply.