Page MenuHomeVyOS Platform

Allow multiple CA certificates (on e.g. EAPoL)
Needs testing, LowPublicENHANCEMENT

Description

EAPoL certificates used to specify a certificate file which could include multiple entries (in the file itself, not in the config).

With the move to PKI, this is no longer possible.

Similar issue was noted with OpenVPN and fixed in T4485 see also this forum post: https://forum.vyos.io/t/using-multi-certificate-certificate-file-with-pki-and-openvpn/9043

It might be worth thinking whether there are any other areas this may affect. Given there are at least these two, there could be more.

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Bug (incorrect behavior)

Event Timeline

sdev changed the task status from Open to Confirmed.Oct 29 2022, 5:53 PM
sdev claimed this task.
sdev changed the subtype of this task from "Task" to "Enhancement".
sdev moved this task from Need Triage to Backlog on the VyOS 1.4 Sagitta board.
sdev added a subscriber: sdev.

Good point, I'll try and look into this and see if it can be handled everywhere the new PKI nodes are used.

Is there any kind of ETA on this? It hasn't moved in a few months, and it is preventing me from being able to upgrade. I understand this probably isn't a huge priority, but an ETA would be nice.

For eapol specifically, if your use case involves only a single chain (1 root CA + 1 or more intermediate CAs), then my fix from T4245 should do the trick. You can add each root/intermediate CA to the PKI and then set eapol to the leaf intermediate CA. When the wpa_supplicant configuration is generated, vyos will add the intermediate CA and all of its parents to the .crt file.

(This does not address the use case of having multiple independent chains (multiple root CAs) though.)

sdev changed the task status from Confirmed to In progress.Wed, Aug 30, 11:24 PM
sdev moved this task from Backlog to In Progress on the VyOS 1.4 Sagitta board.