Template for Extra DN names

[bagasme]

How can I add extra names (DN names other than Common Name) to the generated certificate? I have heared .Insecure.CR.Subject.ExtraNames but when I specified that in the template used to generate leaf certificate, like:

{
    "subject": {{ toJson .Insecure.CR.Subject.ExtraNames }},
    "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
    "keyUsage": ["digitalSignature"],
{{- end }}
    "extKeyUsage": ["serverAuth", "clientAuth"]
}

, the subject is empty in the certificate instead.

Note that templateData in ca.json should not be used.

[tashian]

You may not need a template for this.

Using the default template, try creating a CSR with subject names you need, and use step ca sign to get it signed.

If that doesn't work for you, please share the CSR PEM and we'll take a look.

[maraino]

Hi @bagasme, there are different ways you can do this:

1. If you want to templatize all your certificates with the same DNs the best thing is to edit your ca.json and add inside the authority object a new template object like this:

{
  "...": "...",
  "authority": {
    "template": {
      "country": "US",
      "organization": "Smallstep",
      "organizationalUnit": "Smallstep Eng",
      "locality": "San Francisco",
      "province": "California",
      "streetAddress": "1 The Street St",
      "postalCode": "12345"
    },
    "...": "..."
  }
}

2. If you want to copy the Subject in your CSR then you need a provisioner template like this:

{
	"subject": {{ toJson .Insecure.CR.Subject }},
	"sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
	"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
	"keyUsage": ["digitalSignature"],
{{- end }}
	"extKeyUsage": ["serverAuth", "clientAuth"]
}

3. Settings different subject by provisioner, a template like:

{
	"subject": {
		"country": "US",
		"organization": "Smallstep",
		"organizationalUnit": "Smallstep Eng.",
		"locality": "San Francisco",
		"province": "California",
		"streetAddress": "123 A St",
		"postalCode": "94102",
		"serialNumber": "123456789",
		"commonName": {{ .Subject.CommonName | toJson }},
		"extraNames": [
			{"type": "1.2.840.113549.1.9.1", "value": "[email protected]"}
		]
	},
	"sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
	"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
	"keyUsage": ["digitalSignature"],
{{- end }}
	"extKeyUsage": ["serverAuth", "clientAuth"]
}

4. The fields above can also come from different sources:

a) From a flag --set or --set-file passed to step ca certificate. For example --set organizationalUnit=MyOrgUnig

"organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }}

b) By Specific template data in your provisioner:

{
  "type": "ACME",
  "name": "acme",
  "options": {
  "x509": {
    "templateFile": "templates/certs/x509/subject.tpl",
    "templateData": {
      "country": "US",
      "organization": "test",
      "organizationalUnit": "lab",
      "province": "California",
      "locality": "Redwood City"
    }
  }
}

and a template setting things like

"organizationalUnit": {{ toJson .organizationalUnit }}

c) You can also mix those with some logic:

{- if .Insecure.User.organizationalUnit }}
  "organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }},
{{- else if .Insecure.CR.Subject.organizationalUnit }}
  "organizationalUnit": {{ toJson .Insecure.CR.Subject.organizationalUnit }},
{{- else }}
  "organizationalUnit": {{ toJson .organizationalUnit }},
{{- end }}

My recommendation is to use 1 so you don't need specific templates per provisioner and all your certificates have the same DNs, except for the common name.

[bagasme]

Hi,

I figured out the answer myself. I write the template similar to option c) as:

{
    "subject": {
        "country": {{ toJson .Insecure.User.country }},
        "province": {{ toJson .Insecure.User.province }},
        "locality": {{ toJson .Insecure.User.locality }},
        "organization": {{ toJson .Insecure.User.organization }},
        "organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }},
        "commonName": {{ toJson .Insecure.CR.Subject.CommonName }}
    },
    "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
    "keyUsage": ["digitalSignature"],
{{- end }}
    "extKeyUsage": ["serverAuth", "clientAuth"],
    "basicConstraints": {
        "isCA": false
    }
}

Then, on my step clients, I write DNs in dn.json, e.g.:

{
	"country": "ID",
	"province": "Foo",
	"locality": "Bar",
	"organization": "Foo",
	"organizationalUnit": "Bar",
	"commonName": "foo.bar"
}

I passed --set-file dn.json to step command to supply the DN. Thanks!