SSL, Certs & Subject Alternative Name

Community Beginner ,
Sep 19, 2019 Sep 19, 2019

Copy link to clipboard

Copied

Hi all,

 

My organization is in the process of changing authentication process.  Rather than authenticating using data in the "Subject" attribute in the certificate (which I can parse out from cgi.CERT_SUBJECT), they want to authenticate using the "Subject Alternative Name" attribute extension of the certificate.  However there is no cgi variable (that I am aware of) that I can get the data from that attribute.

 

I've been researching this for weeks, but am stuck.  Anyone have any ideas?

 

I apologize if my terminoligy is used incorrectly above...I'm a pretty good programmer, but SSL/Certs is not my strength.

 

Thank much in advance!

TOPICS
Advanced techniques, Security

Views

1.6K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 19, 2019 Sep 19, 2019

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 20, 2019 Oct 20, 2019

Copy link to clipboard

Copied

Thank you, haxtbh.

 

Per the link you provided, I was able to output the "Subject Alternative Name" using #x509[1].getSubjectAlternativeNames()#.  

 

However the output is only a partial listing of the "Subject Alternative Name" field.  It displays the sub-field "URL" value, but not the "Principal Name" value.  And the data that I need to authenticate users is in the "Principal Name" sub-field.

 

Help?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Nov 19, 2019 Nov 19, 2019

Copy link to clipboard

Copied

Still looking in to this...anyone have an idea?

 

Maybe I'm looking at this the wrong way.  Rather than try to read the certificate as-is, is there a way to configure IIS so that the "Subject Alternative Name" field is fully displayed in a CGI variable?

 

Help?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 01, 2020 Jun 01, 2020

Copy link to clipboard

Copied

LATEST

For me i did x509[1].getSubjectAlternativeNames().toArray() to give me an array of values.

In the array, i saw some values were in binary. If converted those binary values to utf-8, I was able to see one of the strings that I wanted but also with some junk prefixed. I assume the junk portion is just how the value gets encoded, i'm not an expert. I'm thinking i'll just do a rematch to extract the string I want for now until i can decode it better. In my case the string is very specific so i don't think i'll run into problems but i'd need to test this further when I have the time.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Feb 06, 2020 Feb 06, 2020

Copy link to clipboard

Copied

I am trying to do the same thing, but with Apache.  We have modded the mod_jk file to set CGI variables for many things, but I am searching for how to get the Subject Alternative Name / Principal Name and I'm not finding what the jkEnvVar variable name is to add.  Anyone?

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines