Signing a CSR from a Unifi Controller

[tashian]

First of all thanks for making step-ca, I use it all the time in my homelab. It's really some of the best software on the internet.

I'm trying to get a CSR signed from a Unifi Controller (java keystore), using the instructions in this KB article. Here's the certificate request I get from the Unifi device:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US,ST=CA,L=San Francisco,O=Unifi Controller,OU=unifi.internal,CN=unifi.internal
        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (2048 bit)
...
                Exponent: 65537 (0x10001)
    Signature Algorithm: SHA256-RSA
...

When I ask step-ca to sign the CSR, I get:

"certificate request does not contain the valid DNS names - got [], want [unifi.internal]"

Is there any way to get this CSR signed, short of maybe making a custom template that adds a DNS SAN from the Common Name?

[maraino]

Hi @tashian,

The use of common names only for DNS authentication is currently deprecated, and the JWK provisioner enforces the use of at least one subject alternative name SAN. We probably should relax this requirement from the CSR, and just grab the CN and add it to a SAN.

Not all the provisioners have the same restrictions, for example, OIDC doesn't have that restriction, but using step will complain because the CN does not match the token subject, there's already an issue for loosening the requirements of step and relay just on step-ca (smallstep/cli#340). So right now, you can grab the OIDC token (using step ca token) and build a JSON like:

{
  "ott": "...the oidc token...",
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIH.....\n-----END CERTIFICATE REQUEST-----"
}

And do curl -d /tmp/sign.json https://ca-server/1.0/sign. You will get a certificate back, but it won't be the certificate that you want, as it will have for example your email as a SAN, and the CN will be the token subject. But you can fix that with a certificate template, and just sign the CSR {{ toJson .Insecure.CR }}, although you might want to add the subject common name as a SAN and add proper key usages. Something like this will work:

{
	"subject": {{ toJson .Insecure.CR.Subject }},
	"sans": [{"type": "auto", "value": "{{ .Insecure.CR.Subject.CommonName }}"}],
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
	"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
	"keyUsage": ["digitalSignature"],
{{- end }}
	"extKeyUsage": ["serverAuth", "clientAuth"]
}