Forum Discussion
CirrocumulusReturn values of get_certificate_subject_alternative_name_bundle()
Hello!
I'm trying to make sense of what Management.KeyCertificate.get_certificate_subject_alternative_name_bundle returns. In my own testing of certificates that do have subject alternative names (ie. subject CN aliases), I see weird behavior. I start off by checking that iControl returns is_bundled == True when calling Management.KeyCertificate.get_certificate_list(). If a certificate in a folder/partition does contain this flag, then I run it through Management.KeyCertificate.get_certificate_subject_alternative_name_bundle() to discover the subject alternative names (SANs). What I am seeing returned is a list of lists (as expected). The inner list, though, is a bit perplexing. See next message for details (can't do code tags in original forum post for some reason).
10 Replies
mhite_60883Here's an example:
2013-01-01 08:19:23 DEBUG: Executing iControl method: System.Session.set_active_folder((), {'folder': '/test'})
2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_list((), {'mode': 'MANAGEMENT_MODE_DEFAULT'})
2013-01-01 08:19:23 DEBUG: cert_list = [{'certificate': {'bit_length': 1024, 'cert_info': {'email': None, 'id': '/test/wildcard.api.test.com'}, 'cert_type': 'CTYPE_CA_SIGNED_NO', 'expiration_date': 1388404800, 'expiration_string': 'Dec 30 12:00:00 2013 GMT', 'issuer': {'common_name': 'DigiCert High Assurance CA-3', 'country_name': 'US', 'division_name': 'www.digicert.com', 'locality_name': None, 'organization_name': 'DigiCert Inc', 'state_name': None}, 'key_type': 'KTYPE_RSA_PUBLIC', 'serial_number': '03:d1:32:ab:9f:4b:a3:bb:da:5e:a9:2d:48:f5:aa:aa', 'subject': {'common_name': '*.api.test.com', 'country_name': 'US', 'division_name': None, 'locality_name': 'Your Mom', 'organization_name': 'My Mom, Inc.', 'state_name': 'California'}, 'version': 3}, 'file_name': '/test/wildcard.api.test.com.crt', 'is_bundled': True}] 2013-01-01 08:19:23 DEBUG: cert_id_list = ['/test/wildcard.api.test.com'] 2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.certificate_check_validity((), {'cert_ids': ['/test/wildcard.api.test.com'], 'mode': 'MANAGEMENT_MODE_DEFAULT', 'watermark_days': [365]}) 2013-01-01 08:19:23 DEBUG: cert_validity_state_list = ['VTYPE_CERTIFICATE_WILL_EXPIRE']
2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/test/wildcard.api.test.com.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'})
2013-01-01 08:19:23 DEBUG: subject_alt_list = [['DNS:api.test.com, DNS:*.api.test.com', '', '']]
For the list of lists returned by get_certificate_subject_alternative_names(), what are last two empty strings in index 0 of the outer list supposed to represent? (I only pass in one filename so we are only concerned with index 0.) I can see that the actual SAN list is in index 0, but what are index 1 and 2?
When you look at the /Common/ca-bundle.crt, what gets returned is even more obtuse. It's entirely full of empty strings except for a random comma that gets thrown into the middle.
2013-01-01 08:19:19 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/Common/ca-bundle.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'}) 2013-01-01 08:19:20 DEBUG: subject_alt_list = [['', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ', ', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '']]
From a practical standpoint, I can just search the returned values for "DNS:" and not worry about the other stuff that gets returned. I'm just wondering if this is some weird bug I am hitting or if those fields are supposed to be returning something else?
Thanks,
-M
- mhite_60883Here's an example:
2013-01-01 08:19:23 DEBUG: Executing iControl method: System.Session.set_active_folder((), {'folder': '/test'}) 2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_list((), {'mode': 'MANAGEMENT_MODE_DEFAULT'}) 2013-01-01 08:19:23 DEBUG: cert_list = [{'certificate': {'bit_length': 1024, 'cert_info': {'email': None, 'id': '/test/wildcard.api.test.com'}, 'cert_type': 'CTYPE_CA_SIGNED_NO', 'expiration_date': 1388404800, 'expiration_string': 'Dec 30 12:00:00 2013 GMT', 'issuer': {'common_name': 'DigiCert High Assurance CA-3', 'country_name': 'US', 'division_name': 'www.digicert.com', 'locality_name': None, 'organization_name': 'DigiCert Inc', 'state_name': None}, 'key_type': 'KTYPE_RSA_PUBLIC', 'serial_number': '03:d1:32:ab:9f:4b:a3:bb:da:5e:a9:2d:48:f5:aa:aa', 'subject': {'common_name': '*.api.test.com', 'country_name': 'US', 'division_name': None, 'locality_name': 'Your Mom', 'organization_name': 'My Mom, Inc.', 'state_name': 'California'}, 'version': 3}, 'file_name': '/test/wildcard.api.test.com.crt', 'is_bundled': True}] 2013-01-01 08:19:23 DEBUG: cert_id_list = ['/test/wildcard.api.test.com'] 2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.certificate_check_validity((), {'cert_ids': ['/test/wildcard.api.test.com'], 'mode': 'MANAGEMENT_MODE_DEFAULT', 'watermark_days': [365]}) 2013-01-01 08:19:23 DEBUG: cert_validity_state_list = ['VTYPE_CERTIFICATE_WILL_EXPIRE'] 2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/test/wildcard.api.test.com.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'}) 2013-01-01 08:19:23 DEBUG: subject_alt_list = [['DNS:api.test.com, DNS:*.api.test.com', '', '']]
For the list of lists returned by get_certificate_subject_alternative_names(), what are last two empty strings in index 0 of the outer list supposed to represent? (I only pass in one filename so we are only concerned with index 0.) I can see that the actual SAN list is in index 0, but what are index 1 and 2?
When you look at the /Common/ca-bundle.crt, what gets returned is even more obtuse. It's entirely full of empty strings except for a random comma that gets thrown into the middle.2013-01-01 08:19:19 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/Common/ca-bundle.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'}) 2013-01-01 08:19:20 DEBUG: subject_alt_list = [['', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ', ', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '']]
From a practical standpoint, I can just search the returned values for "DNS:" and not worry about the other stuff that gets returned. I'm just wondering if this is some weird bug I am hitting or if those fields are supposed to be returning something else?
Thanks,
-M - mhite_60883And I seriously hate the brain code quoting abilities of the forum software! FAIL! :( Hopefully you could decipher something from my post.
Michael_YatesNimbostratus
Hi mhite,
Take a look at the iControl Method description for that method. Might help explain the behavior.
get_certificate_subject_alternative_name_bundle.
Gets the list of all certificate subject alternative names bundled in the certificate files as specified by the file_names. Each file_name will contain multiple certificate subject alternative names. Note: only call this method when the results of get_certificate_list indicate that there are multiple certificates bundled in a particular file.
For the ca_bundle that you ran it on, that's the default list of Trusted Root CA Certificates and the massive output shows that none of the certificates stored in the bundle have any SAN's.
Hope this helps.- mhite_60883Thanks, Michael.
The part that is strange is that the output seems to include a random comma.
subject_alt_list = [['DNS:api.test.com, DNS:*.api.test.com', '', '']]
What is that last element? - Michael_YatesHi mhite,
That's a good question. I'll try and code something up and see if I get similar results. - mhite_60883Thanks, Michael. Will be interesting to see what behavior you see in your tests.
-M - Michael_Yates
Hi mhite,I completed building the tool and did some testing, but DevCentral is not allowing me to display the images that I captured showing you.Even though the method claims "Note: only call this method when the results of get_certificate_list indicate that there are multiple certificats bundled in a particular file" it did work well with some valid SAN Certificates that I had on the system.I did not get the strange behavior that you got. It was just a single comma delimited string with the two SAN's.When I ran it on the default ca_bundle.crt I simply got back 135 blank entries. - mhite_60883Interesting. What version are you running?
Also, my certificates are from Digicert -- how about you? - Michael_YatesI'm running v11.2.0 HF1.
Our Certificate Authority is Entrust for the Advantage Multi-SAN Certificates that I tested.
