Clarify tooltips for Certificates and Certificate Authorities
As of now, both the cert, CA, and interCA create form's tooltips have the following text:
"Common Name (eg, FQDN of FreeNAS server or service)"
This is because their forms all inherit this help text from the CertificateBase model's cert_common field.
As a result, what can happen is as follows:
1. The user creates an internal CA with a common name as that of the FQDN of his freenas box.
2. (this step is optional) They then continue to either create an interCA using the CA created in step 1, giving this interCA the same common name.
3. They create an endpoint cert using either the CA or the interCA from step 1 or 2 above. For this cert also they give the same common name.
4. They use the cert created in step 3 for making the webui https.
5. When they try to access the FreeNAS box from Chrome, we present chrome with a chain of cert's all the way back to the earliest we have in our FreeNAS system i.e. end point cert + CA or endpoint cert + interCA + CA
6. This results in the chain of pubkeys containing the same common name and throws off browsers like chrome, resulting in the user not being able to access the site.
So what we should do is the following:
1. Either change the base help text string located at https://github.com/freenas/freenas/blob/master/gui/system/models.py#L725 to elaborately state that while you can use the FQDN for the common name it cannot be the same for any cert in this above-mentioned chain.
NOTE: keep in mind that the common name of the end point cert (in our example it is the webui cert) should match the dns at which we are trying to reach the box. For example, if our FreeNAS webui is located at myfreenasbox.ixsystems.com then the common name of the webui cert should also be "myfreenasbox.ixsystems.com"
2. Change indvidual text help strings for CA creation, interCA creation, cert, and lastly even CSR creation forms while still somehow conveying the above message. These are located at the following places in the code:
If I was unable to convey my point in the above text, please reach out via telegram.
Also, I will try and think if I can find anyway to programmatically prompt a message to the user in case he/she is entering the same common_name as previously used in the cert chain.
This ticket arose from a discussion about certs/CAs over at https://bugs.freenas.org/issues/24584
#4 Updated by Warren Block almost 4 years ago
- Subject changed from Tooltips for Certificate's and Certificate Authority's create forms should have the same help text for the common name field to Tooltips for Certificates and Certificate Authorities create forms should have the same help text for the common name field
#9 Updated by Timothy Moore II over 3 years ago
- Status changed from Not Started to Blocked
- % Done changed from 0 to 50
- Reason for Blocked set to Waiting for feedback
Created pull request #325 to ensure text of `Common Name` tooltip matches across every form under System/CAs and System/Certificates. This tooltip is based off the latest documentation in the FreeNAS User Guide (11.1-U1).
Does the description of the "Common Name" field in the User Guide, and thus the related tooltips, need to be updated further?
#10 Updated by Timothy Moore II over 3 years ago
- Status changed from Blocked to Done
- % Done changed from 50 to 100
Ok, after discussing the issue with Vladimir, I've submitted pull request #50 in freenas/freenas-docs (https://github.com/freenas/freenas-docs/pull/50) and pull request #334 in freenas/webui (https://github.com/freenas/webui/pull/334) to update both the FreeNAS guide and new UI tooltips. The documentation now states that the certificates/elements in a "chain" of certificates need to have unique "Common Names".
Vladimir also mentioned that "In the near future we'll have a feature that will validate certificate chains used for Web UI. We'll check this too, because having multiple certificates with same `common name` in one chain has no sense."
#11 Updated by Dru Lavigne over 3 years ago
- Subject changed from Tooltips for Certificates and Certificate Authorities create forms should have the same help text for the common name field to Clarify tooltips for Certificates and Certificate Authorities
- Status changed from Done to In Progress
- Target version changed from 11.2-BETA1 to 11.1-U2
- Needs Doc changed from Yes to No