Subject empty

Question

Subject empty

sedstr opened this issue a year ago · comments

Firstly thanks for making this tool available, awesome work!

I've followed the installation instructions and I'm able to request a working SSL certificate from an MS CA, but even though the certificate appears as valid, the subject value is empty while the subject alternative name is populated. I'm trying to populate both values with the same hostname.

I've tried different value combinations at the json config level and tried passing multiple values through certbot without success - it either fails or works but is still missing the subject value.

I'm sure this is a simple problem that I shouldn't need to ask for assistance on, but if you could spare a moment to share your knowledge, I'd really appreciate it.

Thomas Ottenhus · Answer 1 · Wed May 17 2023 18:02:42 GMT+0800 (China Standard Time)

That's probably on your client. The server does not meddle with the CSR - it will validate the DNS SANs and CN, but not change it.

vestaxbham · Answer 2 · Fri Jun 02 2023 21:55:02 GMT+0800 (China Standard Time)

I'd like to thank you too. That's exactly what I've been looking for.

I have the same issue as @sedstr mentioned. I have tried different versions of certbot (from 1.27 till latest 2.6.0). The enrollment of the certificate works like a charm, but each has an empty subject.
When I set 'AllowEmptyCN' to 'false' this error occurs when I try to enroll a certificate:

"error":{"type":"urn:ietf:params:acme:error:badCSR","detail":"CN Invalid."}

I used this command to enroll a certificate:

certbot certonly --rsa-key-size 2048 --key-type rsa --server http://acme-adcs:80 --cert-name server01.server.srv --agree-tos -d server01.server.srv -d server01.server.srv,server01 --expand

I am using the Windows variant of certbot. Maybe this could be the reason? Any ideas?

Thanks again!

Thomas Ottenhus · Answer 3 · Fri Jun 02 2023 22:11:28 GMT+0800 (China Standard Time)

Without exposing private data, are you able to provide the CSR?

Thomas Ottenhus · Answer 4 · Fri Jun 02 2023 22:15:56 GMT+0800 (China Standard Time)

Also on a side note - why do you need the subject to be present?

Thomas Ottenhus · Answer 5 · Fri Jun 02 2023 22:18:33 GMT+0800 (China Standard Time)

Relevant Issue: certbot/certbot#6463
You might be able to configure the certificate issuance to set a cn - but I don't know, if a windows ca template is able to do that.

vestaxbham · Answer 6 · Mon Jun 05 2023 16:23:01 GMT+0800 (China Standard Time)

Thanks for your response.
This is the CSR decoded:

openssl req -text -in c:\temp\cert\Request\csr.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject:
Subject Public Key Info:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:server01.server.srv,server01

As you can see, subject field is empty, but SAN is filled correctly.

I have some applications for those I do need the subject, e.g. for network authentication. If the CN is empty the client cannot verify the certificate and the authentication fails.

From my point of you the CN is missing in the CSR, so I guess I cannot resolve this issue on the Windows CA-side?!

Thomas Ottenhus · Answer 7 · Mon Jun 05 2023 16:37:23 GMT+0800 (China Standard Time)

I'm no expert in templates, but there are probably some settings around the subject name as well.

Thomas Ottenhus · Answer 8 · Mon Jun 05 2023 16:42:38 GMT+0800 (China Standard Time)

Also - if certbot does not allow you to set the CN (which is okay, since it's all build for browsers and web-servers), you might just use another client.

Thomas Ottenhus · Answer 9 · Mon Jun 05 2023 16:46:54 GMT+0800 (China Standard Time)

Nevertheless - I'm closing this as out-of-scope.
It's not an issue ADCS could solve.