Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expanded options for selecting certificates from OS native certificate stores #381

Closed
kenjenkins opened this issue Dec 12, 2023 · 3 comments
Closed

Expanded options for selecting certificates from OS native certificate stores #381

kenjenkins opened this issue Dec 12, 2023 · 3 comments
Assignees
@kenjenkins

Comments

@kenjenkins
Copy link
Contributor

Background:

#314 added a new option --client-cert-issuer-cn to enable searching the macOS Keychain or Windows certificate store for a client certificate. This search is based on the Common Name of the CA that issued the client certificate.

Note that this option has not yet been included in a pomerium-cli release.

Per conversation with @arulthileeban, this option alone is not sufficient for their deployment. Instead they require some way to select between multiple certificates issued by the same CA (where only one particular certificate should be used with Pomerium).

I propose we replace the --client-cert-issuer-cn option with an expanded set of options:

  1. --client-cert-from-store would enable the overall feature of searching the OS certificate store.

    If this option is provided by itself, pomerium-cli would search for a matching certificate based on the advertised CA names from the TLS handshake. This default behavior would likely be sufficient for many client certificate deployments.

Two additional options could by used in combination with this first option, to provide additional filtering capabilities:

  1. --client-cert-issuer would filter matching certificates based on one attribute of the certificate's Issuer name.

    So instead of the previous option --client-cert-issuer-cn "Trusted CA Name" you would set --client-cert-issuer "CN=Trusted CA Name". Only the most commonly-used name attributes would be supported (e.g. CN, O, OU, C, ST, L).

  2. --client-cert-subject would likewise filter matching certificates based on one attribute of the certificate's Subject name.

    For example, --client-cert-subject "OU=Organizational Unit Name".

@calderonth, I believe you are also interested in using client certificates with Pomerium. If you anticipate needing to use client certificates with pomerium-cli, please let me know if you have any feedback on this idea. Thanks!
@kenjenkins kenjenkins mentioned this issue Dec 12, 2023
Merged
6 tasks
@desimone
Copy link
Contributor

@kenjenkins -- #380 is in draft. What moves it off the bench?

@kenjenkins
Copy link
Contributor Author

If no concerns about the proposed options, I think #380 is ready for review.

It does still need a follow-up change to add corresponding changes in the API used by the desktop app, but I think we can do that in a separate PR.

@kenjenkins kenjenkins mentioned this issue Jan 13, 2024
Merged
6 tasks
@kenjenkins
Copy link
Contributor Author

This is released now in pomerium-cli v0.23.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kenjenkins kenjenkins

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@desimone @kenjenkins