About EDITF_ATTRIBUTESUBJECTALTNAME2 flag

[ldc-2024]

We are seeing certificates being denied because EDITF_ATTRIBUTESUBJECTALTNAME2 flag is configured even when there is no policy file for the template. is this expectable?
From documentation, one template should be affected by this module if there is no policy file assigned.

[JerboaGobi]

That flag is called out specifically in the documentation. TMC will globally block certificate issuance if that flag is enabled.

docs.tamemycerts.com 4.19 Denying certificate requests for insecure combinations

[ldc-2024]

Hi,
Thank you for your quick replay.
can TMC use the Supplementing DNS Names and IP Addresses feature in combination with the “san” request attribute?

[JerboaGobi]

I think 4.8 and 5.3.1 in the docs will serve as evidence but the answer is yes. Sent from my Galaxy -------- Original message --------From: ldc-2024 ***@***.***> Date: 8/22/24 01:51 (GMT-07:00) To: Sleepw4lker/TameMyCerts ***@***.***> Cc: JerboaGobi ***@***.***>, Comment ***@***.***> Subject: Re: [Sleepw4lker/TameMyCerts] About EDITF_ATTRIBUTESUBJECTALTNAME2 flag (Discussion #30) Hi, Thank you for your quick replay. can TMC use the Supplementing DNS Names and IP Addresses feature in combination with the “san” request attribute? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[Sleepw4lker]

EDITF_ATTRIBUTESUBJECTALTNAME2 is a global flag, which means it allows any requestor to get any certificate content issued for any certificate template. In most cases, this is a direct invitation for a privilege escalation up to Domain Administrator. The flag should therefore never be enabled.

This is why I decided to deny requests for this combination (flag enabled and "san" attribute set) globally.

The underlying issue is that you have certificate requests that do not contain a SAN but the issued certificate must have one for the application to work (usually browsers enforcing RFC 2818). So what you want to achieve is usually add a SAN to a CSR not containing it. The challenge here is that you cannot modify the original request wihout invalidating its signature.

However, there are secure ways to achieve the goal:

1. you can (manually - no TMC required) add SANs prior to issuance as certificate manager, I outlined secure options here.
2. you can make TMC detect any DNS names in the Subject DN and build a SAN extension out of them
3. you can make TMC pull the information from Active Directory (if a mapping can be made)

Cheers

[ldc-2024]

Hi,
The link provided is not working anymore:
https://www.gradenegger.eu/en/change-the-subject-alternative-name-san-of-a-certificate-before-it-is-issued-but-be-sure-to/ is not
Same for this link:
https://www.gradenegger.eu/en/take-over-the-active-directory-overall-structure-with-the-flag-editf_attributesubjectaltname2/

Thanks!

[Sleepw4lker]

Sorry, there was a technical issue on my blog which is now fixed. Sorry for the inconvenience.

[ldc-2024]

all good! :)
about my previous question,
Could you provide more details about how to use the “san” request attribute together with TMC? Do you have any examples?
The “san” request metadata was provided by users via web enrollment

[Sleepw4lker]

Hello, as I said and outlined in the blog, you should never use the "san" attribute but instead use a secure method to add a SAN to a certificate request.