Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Extracting username from X.509 certificate

Dear all,

We are using the following subject in our X.509 certificate:

cn=Jack Sparrow,cn=CSN123875,cn=Users,dc=dacomp,dc=cz

I would like to use the second cn as a value for ldap search. I have thought that username-from-certificate command in tunnel-group could do the trick, but If I use "username-from-certificate CN" only the last cn from certificate is returned (in the case of the above mentioned example it is "Users" string). I also tried to use lua stcript, but with no avail. Is ther any lua variable like "return cert.subject.dn" that contain whole distinguished name from subject or any other possibility that could help me to use any CN from certificate subject as a user name? We are using asa822-k8.bin (ASDM 6.3(1)) software version. Any answer would be very appreciated. Thank you very much.

Yours sincerely,

Zdenek Rottenberg

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Extracting username from X.509 certificate

Hi Zdenek

great, thanks for letting us know!

BTW please mark the thread as resolved, thanks!

cheers

Herbert

9 REPLIES
Cisco Employee

Re: Extracting username from X.509 certificate

Hi Zdenek,

have you tried using a LUA regular expression, i.e. something like

cn=%a+,cn=(%a+),cn=%a+

hth

Herbert

New Member

Re: Extracting username from X.509 certificate

Hi Herbert,

first of all thank you very much for your answer.

Yes, it is true that I can use regular expressions, but regular expressions must be applied to a variable. The following table represents lists of supported variables (this is for ASA sw 8.2(2) and ASDM 6.3.(1)):

cert.subject.c

Country

cert.subject.cn

Common Name

cert.subject.dnq

DN qualifier

cert.subject.ea

Email Address

cert.subject.genq

Generational qualified

cert.subject.gn

Given Name

cert.subject.i

Initials

cert.subject.l

Locality

cert.subject.n

Name

cert.subject.o

Organization

cert.subject.ou

Organization Unit

cert.subject.ser

Subject Serial Number

cert.subject.sn

Surname

cert.subject.sp

State/Province

cert.subject.t

Title

cert.subject.uid

User ID

cert.issuer.c

Country

cert.issuer.cn

Common Name

cert.issuer.dnq

DN qualifier

cert.issuer.ea

Email Address

cert.issuer.genq

Generational qualified

cert.issuer.gn

Given Name

cert.issuer.i

Initials

cert.issuer.l

Locality

cert.issuer.n

Name

cert.issuer.o

Organization

cert.issuer.ou

Organization Unit

cert.issuer.ser

Issuer Serial Number

cert.issuer.sn

Surname

cert.issuer.sp

State/Province

cert.issuer.t

Title

cert.issuer.uid

User ID

cert.serialnumber

Certificate Serial Number

cert.subjectaltname.upn

User Principal Name


As you can see there are no variable which represents the complete subject.

The variable cert.subject.cn return the last CN in the subject. So, a regular expression would be applied to string "Users" if the certificate subject is CN=rotten,CN=Users,DC=test,DC=cz. I have not find the way to apply the regular expression on the whole distinguished name yet. I tryed to use some lua functions like "return findpattern(cert.subject.cn,"%a+")" and it does not work.

Take care,

Zdenek

Cisco Employee

Re: Extracting username from X.509 certificate

Can't try this out in the lab right now, but maybe you can try using just "cert.subject" ?

New Member

Re: Extracting username from X.509 certificate

I have already tried to use the cert.subject variable and it did not work. I think it could not be serious problem because moust certificate subjects have one CN. In case of more than one CNs, choosing the last CN is not good behaviour of course (it is my opinion). I am going to try upgrade from 8.2.2 to the latest version (within one or two weeks) and give it one more try to find the solution. Then let you know the result.

Take care

Zdenek Rottenberg

Cisco Employee

Re: Extracting username from X.509 certificate

Hi Zdenek,

I think I found the solution, there is a variable cert.subject.fulldn that you can use, e.g.

local a,b,c;
a,b,c = string.find( cert.subject.fulldn, ',cn=(.+),cn=Users' );
return c;

hth

Herbert

New Member

Re: Extracting username from X.509 certificate

Hi Herbert,

The variable cert.subject.fulldn is valid variable and if you write script:

return cert.subject.fulldn

you will see (in wireshark) valid LDAP query with search string containing whole DN. This is incredible result. By the way, where did you find this variable?The script itself did not worked, but I think I have enought information to complete the script by myself.

I am, of course, going to inform you about the results of my ongoing tests.

Thank you very much for your help.

Take care,

Zdenek Rottenberg

Cisco Employee

Re: Extracting username from X.509 certificate

Hi Zdenek,

strange, the script worked ok for me. My test certificate has:

  cn=John Doe,cn=jdoe,cn=users,ou=employees

and with the script I posted (except with 'users' instead of 'Users' in the pattern, I just changed that to match your example) I get 'jdoe' as result.

Anyway have fun debugging the script and let me know if I can still help

And to answer your question: I used internal Cisco resources ;-)

cheers

Herbert

New Member

Re: Extracting username from X.509 certificate

Hi Herbert,

Finally I managed to find out where the problem was. The problem was in asa822-k8.bin or asdm-631.bin (or in both of them) software. After migrating to asa832-4-k8.bin and asdm-634-53.bin everything starts to work correctly. Thank you very much for your help.

take care,

Zdenek

Cisco Employee

Re: Extracting username from X.509 certificate

Hi Zdenek

great, thanks for letting us know!

BTW please mark the thread as resolved, thanks!

cheers

Herbert

4370
Views
10
Helpful
9
Replies
CreatePlease to create content