Highlighted

SSL, Certs & Subject Alternative Name

Community Beginner ,
Sep 19, 2019

Copy link to clipboard

Copied

Hi all,

 

My organization is in the process of changing authentication process.  Rather than authenticating using data in the "Subject" attribute in the certificate (which I can parse out from cgi.CERT_SUBJECT), they want to authenticate using the "Subject Alternative Name" attribute extension of the certificate.  However there is no cgi variable (that I am aware of) that I can get the data from that attribute.

 

I've been researching this for weeks, but am stuck.  Anyone have any ideas?

 

I apologize if my terminoligy is used incorrectly above...I'm a pretty good programmer, but SSL/Certs is not my strength.

 

Thank much in advance!

TOPICS
Advanced techniques, Security

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

SSL, Certs & Subject Alternative Name

Community Beginner ,
Sep 19, 2019

Copy link to clipboard

Copied

Hi all,

 

My organization is in the process of changing authentication process.  Rather than authenticating using data in the "Subject" attribute in the certificate (which I can parse out from cgi.CERT_SUBJECT), they want to authenticate using the "Subject Alternative Name" attribute extension of the certificate.  However there is no cgi variable (that I am aware of) that I can get the data from that attribute.

 

I've been researching this for weeks, but am stuck.  Anyone have any ideas?

 

I apologize if my terminoligy is used incorrectly above...I'm a pretty good programmer, but SSL/Certs is not my strength.

 

Thank much in advance!

TOPICS
Advanced techniques, Security

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 19, 2019 0
Advocate ,
Sep 19, 2019

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 19, 2019 0
Community Beginner ,
Oct 20, 2019

Copy link to clipboard

Copied

Thank you, haxtbh.

 

Per the link you provided, I was able to output the "Subject Alternative Name" using #x509[1].getSubjectAlternativeNames()#.  

 

However the output is only a partial listing of the "Subject Alternative Name" field.  It displays the sub-field "URL" value, but not the "Principal Name" value.  And the data that I need to authenticate users is in the "Principal Name" sub-field.

 

Help?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 20, 2019 0
Community Beginner ,
Nov 19, 2019

Copy link to clipboard

Copied

Still looking in to this...anyone have an idea?

 

Maybe I'm looking at this the wrong way.  Rather than try to read the certificate as-is, is there a way to configure IIS so that the "Subject Alternative Name" field is fully displayed in a CGI variable?

 

Help?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Nov 19, 2019 0
New Here ,
Jun 01, 2020

Copy link to clipboard

Copied

For me i did x509[1].getSubjectAlternativeNames().toArray() to give me an array of values.

In the array, i saw some values were in binary. If converted those binary values to utf-8, I was able to see one of the strings that I wanted but also with some junk prefixed. I assume the junk portion is just how the value gets encoded, i'm not an expert. I'm thinking i'll just do a rematch to extract the string I want for now until i can decode it better. In my case the string is very specific so i don't think i'll run into problems but i'd need to test this further when I have the time.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 01, 2020 0
LEGEND ,
Feb 06, 2020

Copy link to clipboard

Copied

I am trying to do the same thing, but with Apache.  We have modded the mod_jk file to set CGI variables for many things, but I am searching for how to get the Subject Alternative Name / Principal Name and I'm not finding what the jkEnvVar variable name is to add.  Anyone?

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 06, 2020 0