Adding emailAddress to subject line

[logopk]

Hi,

I have existing CSRs for different client certs that contain an additional emailAddress-Field.

I'm using a client cert template with the following data (that skips the usual TLS Server Certificate settings). The subject part is the default from the basic leaf-template.

{
    "subject": {
        "organizationalUnit": {{ toJson .OrganizationalUnit }},
        "organization": {{ toJson .Organization }},
        "locality": {{ toJson .Locality }},
        "Province": {{ toJson .Province }},
        "Country": {{ toJson .Country }},
        "commonName": {{ toJson .Subject.CommonName }}
    },
  "keyUsage": ["digitalSignature", "keyAgreement"],
  "extKeyUsage": ["clientAuth"],
  "crlDistributionPoints": "http://xxx:8881/step.crl.pem",
  "ocspServer": "http://xxx:8889"
}

What is necessary to add the emailaddress?

What would I have to change in the template to pass the fields when issuing the certificate?
At the moment only the CN is passed into the cert from the subject parameter (I see the difference in the template for commonName). Could I possibly add the whole subject line (including the email)?

Thank You in advance!

Peter

[maraino]

The emailAddress in the subject is not currently supported (I recommend you to add a new issue for that), we only support it as a SAN.

The most common way to set the country, locality, and the rest of the subject fields is to define a template inside the "authority" object of the ca.json. Something like:

{
    "...": "...",
    "authority": {
        "template": {
            "country": "US",
            "organization": "Smallstep",
            "organizationalUnit": "Smallstep Eng",
            "locality": "San Francisco",
            "province": "California",
            "streetAddress": "1 The Street St"
        },
        "...": "..."
    },
    "...": "..."
}

These properties will be common in all the certificates unless the template sets a different value.

To set a different value, an option is to pass custom values when you sign the certificate using the --set key=value or --set-file filename flags in step ca certificate or step ca sign. Those flags set template variables that can be accessed from the templates as .Insecure.User.Key, so you can for example have use --set-file subject.json where subject.json is :

{
    "country": "US",
    "organization": "Foo",
    "...": "..."
}

and you can have a template like yours replacing all the subject subject fields but common name to:

{
    "subject": {
        "country": {{ toJson .Insecure.User.country }},
        "...": "...",
        "commonName": {{ toJson .Subject.CommonName }}
    },
    "...": "..."
}

[logopk]

Nice, that worked.

Just for the records: Template Default-Data should go in:

"options": {
	"x509": {
	  "templateFile": "templates/certs/x509/leaf-client.tpl",
          "templateData": {
              "country": "DE",
              "organization": "myOrg",
              "organizationalUnit": "myTeam",
              "province": "myProvince",
              "locality": "myTown"
            }
	}
}

The Template in my case is: (i can override each of the defaults in --set-file or with ---set key=value)

{
    "subject": {
{{- if .Insecure.User.organizationalUnit }}
    "organizationalUnit": {{ toJson .Insecure.User.organizationalUnit}},
{{- else }}
    "organizationalUnit": {{ toJson .organizationalUnit }},
{{- end }}
{{- if .Insecure.User.organization }}
    "organization": {{ toJson .Insecure.User.organization}},
{{- else }}
    "organization": {{ toJson .organization }},
{{- end }}
{{- if .Insecure.User.locality }}
    "locality": {{ toJson .Insecure.User.locality}},
{{- else }}
    "locality": {{ toJson .locality }},
{{- end }}
{{- if .Insecure.User.Province }}
    "province": {{ toJson .Insecure.User.province}},
{{- else }}
    "province": {{ toJson .province }},
{{- end }}
{{- if .Insecure.User.Country }}
    "country": {{ toJson .Insecure.User.country}},
{{- else }}
    "country": {{ toJson .country }},
{{- end }}
        "commonName": {{ toJson .Subject.CommonName }}
    },
  "keyUsage": ["digitalSignature", "keyAgreement"],
  "extKeyUsage": ["clientAuth"],
  "crlDistributionPoints": "http://mycrl-endpoint:8881/step.crl.pem",
  "ocspServer": "http://myocsp-server:8889"
}

and the keys seem to be case sensitive...

Thanks for your help @maraino !

[maraino]

Yes, provisioner-specific templateData is a better option, I forgot about that.