Skip to content

winpki: prevent CRL common names from overflowing#57867

Merged
zmb3 merged 1 commit intomasterfrom
zmb3/crl-cn-limit
Aug 14, 2025
Merged

winpki: prevent CRL common names from overflowing#57867
zmb3 merged 1 commit intomasterfrom
zmb3/crl-cn-limit

Conversation

@zmb3
Copy link
Copy Markdown
Collaborator

@zmb3 zmb3 commented Aug 13, 2025
edited
Loading

The addition of the issuer SKID to the CN for our CRLS has caused long clusters to exceed the limit of how long a CN can be.

For database access, we rely on the user to run certutil commands to publish the CRL. While we expect the limit to be 64 characters, we observe that certutil starts truncating the CN as soon as it exceeds 51 characters (which causes it to get imported in a different location from what the certificate references).

Note: no changelog because this will land in the same release as #57822 and one changelog entry is enough to cover both fixes.

@github-actions github-actions bot requested a review from Joerger August 13, 2025 18:31
@github-actions github-actions bot requested a review from nklaassen August 13, 2025 18:31
@github-actions github-actions bot added the tctl tctl - Teleport admin tool label Aug 13, 2025
@zmb3 zmb3 added the no-changelog Indicates that a PR does not require a changelog entry label Aug 13, 2025
@zmb3 zmb3 force-pushed the zmb3/crl-cn-limit branch from 93f1d93 to ac3b28b Compare August 13, 2025 20:59
@zmb3 zmb3 force-pushed the zmb3/crl-cn-limit branch 2 times, most recently from 129197a to 4554562 Compare August 13, 2025 23:20
@zmb3
winpki: prevent CRL common names from overflowing
c2d8052 
The addition of the issuer SKID to the CN for our CRLS  has
caused long clusters to exceed the limit of how long a CN
can be.

For database access, we rely on the user to run certutil
commands to publish the CRL. While we expect the limit to
be 64 characters, we observe that certutil starts truncating
the CN as soon as it exceeds 51 characters (which causes it
to get imported in a different location from what the certificate
references).
@zmb3 zmb3 force-pushed the zmb3/crl-cn-limit branch from 4554562 to c2d8052 Compare August 14, 2025 14:19
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from nklaassen August 14, 2025 15:51
@zmb3 zmb3 added this pull request to the merge queue Aug 14, 2025
Merged via the queue into master with commit 48a0848 Aug 14, 2025
40 checks passed
@zmb3 zmb3 deleted the zmb3/crl-cn-limit branch August 14, 2025 16:15
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Aug 14, 2025

@zmb3 See the table below for backport results.

Branch Result
branch/v17 Failed
branch/v18 Create PR

This was referenced Aug 14, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@Joerger Joerger Joerger approved these changes

Assignees

No one assigned

Labels

backport/branch/v17 backport/branch/v18 no-changelog Indicates that a PR does not require a changelog entry size/sm tctl tctl - Teleport admin tool

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zmb3 @r0mant @Joerger