You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, RFC3280 imposes a maximum length of 64 characters on the common name of an X509 certificate. See https://www.ietf.org/rfc/rfc3280.txt (search for ub-common-name).
When using Notary with Docker, it is easy to end up with a GUN that is longer than 64 characters (e.g. "my_docker_registry.somedomain.com/my_docker_repo_part_1/my_docker_repo_part_2")
While Notary's own internal certificate-generating code may not enforce this limit, it is enforced by third-party tools such as openssl. This is a big problem for anyone planning to generate their own certificates and then import them into Notary (see #821)
The text was updated successfully, but these errors were encountered:
dnwake
changed the title
A X509 cert's common name is required to be equal to the GUN, but the length of a common name is restricted to 64 chars
Notary requires an X509 cert's common name is required to match the GUN exactly, but the length of a common name is restricted to 64 chars
Aug 12, 2016
dnwake
changed the title
Notary requires an X509 cert's common name is required to match the GUN exactly, but the length of a common name is restricted to 64 chars
Notary requires an X509 cert's common name to match the GUN exactly, but the length of a common name is restricted to 64 chars
Aug 12, 2016
For the benefit of future people running into this problem, I've found that the certtool command (supplied as part of the gnutls-utils package) ignores the 64 character limitation, so can be used as a workaround.
Having merged wildcard CNs and there being workarounds, I'm going to close this. We don't have any specific action items to address GUN name length. Please re-open or file an issue with specific action items if more is needed.
In order to be valid, Notary requires that any cert must have a common name that matches the GUN. See https://github.com/docker/notary/blob/master/trustpinning/certs.go#L178
However, RFC3280 imposes a maximum length of 64 characters on the common name of an X509 certificate. See https://www.ietf.org/rfc/rfc3280.txt (search for ub-common-name).
When using Notary with Docker, it is easy to end up with a GUN that is longer than 64 characters (e.g. "my_docker_registry.somedomain.com/my_docker_repo_part_1/my_docker_repo_part_2")
While Notary's own internal certificate-generating code may not enforce this limit, it is enforced by third-party tools such as openssl. This is a big problem for anyone planning to generate their own certificates and then import them into Notary (see #821)
The text was updated successfully, but these errors were encountered: