Re: Some parameters located now…


Good morning & Happy New Year !

Yes there are people tuning their ZS early on New Year Day ๐Ÿ˜†

Thanks Garfield, It helped me to find some items from my initial questions.

* The source data for the CA appear to be there:

root@janus2> ll /var/register/system/ssl/ca
total 32K
-rw-r–r– 1 root root 6 Sep 28 2004 StateOrProvince
-rw-r–r– 1 root root 3 Jan 29 2015 WebExport
-rw-r–r– 1 root root 4 Nov 19 2004 countryName
-rw-r–r– 1 root root 3 Jan 29 2015 days
-rw-r–r– 1 root root 4 Jan 29 2015 keysize
-rw-r–r– 1 root root 9 Sep 28 2004 localityName
-rw-r–r– 1 root root 5 Sep 28 2004 organizationName
-rw-r–r– 1 root root 7 Sep 28 2004 organizationalUnitName

As you can see, most of them were not updated when I installed my own LocalCA, this is a bit dirty, but not critical…

* What is used from the CA info:

The ‘kerbynet.cgi/scripts/x509_createAdminCert’ and ‘…/x509_createDefaultCert’ both use only:

NBIT=`cat $REGISTER/system/ssl/ca/keysize 2>/dev/null`
DAYS=`cat $REGISTER/system/ssl/ca/days 2>/dev/null`
[ -z "$NBIT" ] && NBIT=1024
[ -z "$DAYS" ] && DAYS=365

* How the SAN is built (by ‘…/x509_createDefaultCert’):

echo -n "subjectAltName = DNS:`hostname`" >> $TMP
find /var/register/system/net/interfaces/ -name IP -type f -exec awk '{printf(", IP:%s",$0)}' {} ; >> $TMP

This is awful because:
– the files “…/net/interfaces/…/IP” appears to have kept obsolete IP addresses,
– this can disclose my LAN side IP’s in certificates made for WAN side,
– this will not let me specify a wanted name for a given certificate.

How to change that ?

It is always the problem with GUIs: you need to either hardcode or write a complex editor for data that most of people won’t care of, so it is often painful job for nothing…

The simplest solution is always declarative, in the form of a template file located in a known place, with severe warnings to edit it, either by hand or with a GUI file editor…

For the set of IP addresses, I understand the need to fetch them in the system, but it should be done only once when changes are done in the network structure, and the admin should be able to willingly copy and filter the result.

OK, now I have found where to hack to have clean certificates.

More ideas for usability

Directly using opensssl is tricky, but there is a nice software named XCA that enables anybody a bit aware of the principles to safely and cleanly manage all his SSL data.

Wouldn’t it be simpler to enable to import all the SSL items into ZS this way ? Actually ZS wants to have its CA and to make its host and admin certificates by itself… with the issues above.

And since I have twin ZS systems, you imagine that it means 2 CAs ๐Ÿ™‚

This leads me to remind this question, I’d like to have your positions:

Thanks, Best regards.