Custom subject parameters for private ACME CA

c1o · January 22, 2025, 11:45am

Thank you for Caddy!

The problem I’m having

For a private CA there is a requirement to set certain parameters (C, ST, L, O, OU) in the subject. This CA is now also offering an ACME directory endpoint, but these parameters are still required.

It would be nice to be able to use ACME with Caddy directly in this setting. Is there a way to configure these parameters in Caddy?

I could only find https://caddyserver.com/docs/json/apps/tls/automation/policies/subjects/ in the documentation, but that seems more Caddy internal policy related. Is that correct?

Caddy version:

2.9.1

matt · January 22, 2025, 8:11pm

Currently, there’s not a way to set those fields with the fully-automated internal CA. But you could provide your own root (and intermediate, if you wish) that has those filled out. Or someone could submit a PR to add this capability.

PS. The relevant part of the config is the pki app: JSON Config Structure - Caddy Documentation

c1o · January 23, 2025, 9:14am

Sorry, Matt. I meant an external CA (managed by a supplier; unsure of the used software) that requires those fields to be set in the CSR when using ACME.

Would it be possible to set those fields in this case?

c1o · February 17, 2025, 11:41am

More specifically, this is the error we are getting:

{"level":"error","ts":1739792194.9596744,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"test.internal.domain.org","issuer":"suppliername-acme-v2-directory","error":"HTTP 400 urn:ietf:params:acme:error:badCSR - Bad signature on CSR: Common Name (CN) is empty\n"}

matt · February 17, 2025, 1:36pm

Well, CommonName on leaf certs has been deprecated for over 20 years, so I don’t think Caddy has any interest in supporting that field in that case.

But I’m open to supporting the other fields.

c1o · February 28, 2025, 9:22am

Thank you, Matt! If we were to implement this, what would be the best place for this change?

matt · February 28, 2025, 7:19pm

Probably in CertMagic’s generateCSR() function:

github.com/caddyserver/certmagic

config.go

a7894dd69


      
          	if interactive {
          		err = f(ctx)
          	} else {
          		err = doWithRetry(ctx, log, f)
          	}
          
          	return err
          }
          
          // generateCSR generates a CSR for the given SANs. If useCN is true, CommonName will get the first SAN (TODO: this is only a temporary hack for ZeroSSL API support).
          func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useCN bool) (*x509.CertificateRequest, error) {
          	csrTemplate := new(x509.CertificateRequest)
          
          	for _, name := range sans {
          		// identifiers should be converted to punycode before going into the CSR
          		// (convert IDNs to ASCII according to RFC 5280 section 7)
          		normalizedName, err := idna.ToASCII(name)
          		if err != nil {
          			return nil, fmt.Errorf("converting identifier '%s' to ASCII: %v", name, err)
          		}

Writing an issue with a proposal might be a good idea first before you spend too much time editing code that may have to be revised.