Continuing my exploration of mutual TLS for secure inter-service communication. Wondering how best to include in the certificate what type of service the certificate is for. The best options I can think of is either using the subjectDirectoryAttributes extension, or just using a CN encoded as a URI, with the scheme encoding the type.
This is one of those trade-offs between an approach that’s easy, vs. an approach that’s “correct”. I imagine the “correct” way to do this is to add an attribute to the certificate indicating the service type. This is probably what this extension is for, and even without using it, I don’t think there’s anything about the X.509 format which would prevent me from just adding a custom attribute, apart from the various RFC’s that govern how certificates are exchanged online (this is for internal services, so I can’t imagine that being a problem.)
But even so, I’m learning towards using the URI. Although I can probably organise an OpenSSL config file which enables support for this extension — something that is not guaranteed — I’m worried that if I were to start handing off certificate creation to others, they would need to do likewise. Sure, tooling could help here, but we’ll all need to support that too. Not to mention a vast majority of the documentation out there is about using OpenSSL for creating HTTPS server certificates (apart from, I guess, the documentation on OpenSSL itself, but I don’t think I’m ready for that yet).
So I’m going to keep it simple for now. I guess if the need arises, I could look at this extension in the future.