Add web tls client authentication to the user identity cert

I'm can't give fabric "user" type identities a fabric certificate that allows TLS Web Client Authentication.

During the enrollment process of a user identity, a CSR is passed in and a signed fabric cert is returned. During this process, I need the user identity cert to have the X.509 attribute:

X509v3 Extended Key Usage: TLS Web Client Authentication

This will allow the certificate to authenticate using mutual TLS with another fabric signed server. The question is, how can I convince fabric to add this attribute?

Currently the user is registered and enrolled using api calls to the fabric-ca-client.


    registerRequestJson, err := json.Marshal(FabricCARegisterRequest{
        Id:     newFabricUserId,
        Type:   "user",
        Secret: registerSecret.String(),
        MaxEnrollments: 1,
    })
    regRequest, err := http.NewRequest("POST",
        fmt.Sprintf("https://%s%s", os.Getenv(FABRIC_CA_SERVER_ADDR), FABRIC_CA_SERVER_API_REGISTER_PATH),
        bytes.NewBuffer(registerRequestJson))

enrollRequestJson, err := json.Marshal(FabricCAEnrollRequest{
        Request: csr,
    })
    enrollRequest, err := http.NewRequest("POST",
        fmt.Sprintf("https://%s:%[email protected]%s%s", newFabricUserId, registerSecret.String(), os.Getenv(FABRIC_CA_SERVER_ADDR), FABRIC_CA_SERVER_API_ENROLL_PATH),
        bytes.NewBuffer(enrollRequestJson))

An example result cert (that has been signed by fabric) is:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            66:ad:8a:4d:b2:0f:c3:4a:89:3e:50:2f:09:08:8a:2b:0e:05:d7:cc
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=California, L=San Francisco, O=omitted, CN=ca.omitted
        Validity
            Not Before: Jul 10 18:35:00 2018 GMT
            Not After : Jul 10 18:35:00 2019 GMT
        Subject: CN=abe7d015-fe68-4265-8612-3b038f94360e
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    omitted
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                omitted
            X509v3 Authority Key Identifier: 
                omitted
    Signature Algorithm: ecdsa-with-SHA256
         omitted

Any help would be greatly appreciated!

sslhyperledger-fabricx509certificatetls1.2mutual-authentication

Answers

comments powered by Disqus