Expanded options for selecting certificates from OS native certificate stores

Question

Expanded options for selecting certificates from OS native certificate stores

kenjenkins opened this issue 6 months ago · comments

Background:

#308

#314 added a new option --client-cert-issuer-cn to enable searching the macOS Keychain or Windows certificate store for a client certificate. This search is based on the Common Name of the CA that issued the client certificate.

Note that this option has not yet been included in a pomerium-cli release.

Per conversation with @arulthileeban, this option alone is not sufficient for their deployment. Instead they require some way to select between multiple certificates issued by the same CA (where only one particular certificate should be used with Pomerium).

I propose we replace the --client-cert-issuer-cn option with an expanded set of options:

--client-cert-from-store would enable the overall feature of searching the OS certificate store.

If this option is provided by itself, pomerium-cli would search for a matching certificate based on the advertised CA names from the TLS handshake. This default behavior would likely be sufficient for many client certificate deployments.

Two additional options could by used in combination with this first option, to provide additional filtering capabilities:

--client-cert-issuer would filter matching certificates based on one attribute of the certificate's Issuer name.

So instead of the previous option --client-cert-issuer-cn "Trusted CA Name" you would set --client-cert-issuer "CN=Trusted CA Name". Only the most commonly-used name attributes would be supported (e.g. CN, O, OU, C, ST, L).
--client-cert-subject would likewise filter matching certificates based on one attribute of the certificate's Subject name.

For example, --client-cert-subject "OU=Organizational Unit Name".

@calderonth, I believe you are also interested in using client certificates with Pomerium. If you anticipate needing to use client certificates with pomerium-cli, please let me know if you have any feedback on this idea. Thanks!

bobby · Answer 1 · Sat Dec 30 2023 07:25:09 GMT+0800 (China Standard Time)

@kenjenkins -- #380 is in draft. What moves it off the bench?

Kenneth Jenkins · Answer 2 · Wed Jan 03 2024 01:44:05 GMT+0800 (China Standard Time)

If no concerns about the proposed options, I think #380 is ready for review.

It does still need a follow-up change to add corresponding changes in the API used by the desktop app, but I think we can do that in a separate PR.

Kenneth Jenkins · Answer 3 · Fri Apr 12 2024 03:21:29 GMT+0800 (China Standard Time)

This is released now in pomerium-cli v0.23.0.