From 3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9 Mon Sep 17 00:00:00 2001 From: yarick123 Date: Thu, 14 Aug 2014 02:15:16 +0200 Subject: [PATCH] cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working': bugfix #3347: Certificate Authority SAN names not working in 2.1 subjectAltName can be set _only_ via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName. Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf --- etc/inc/certs.inc | 8 ++++++++ etc/ssl/openssl.cnf | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index a1397b8ba9..8df3e5d21e 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -293,6 +293,14 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di break; } + // in case of using Subject Alternative Names use other sections (with postfix '_san') + // pass subjectAltName over environment variable 'SAN' + if ($dn['subjectAltName']) { + putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file + $cert_type .= '_san'; + unset($dn['subjectAltName']); + } + $args = array( "x509_extensions" => $cert_type, "digest_alg" => $digest_alg, diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index 08b3758d9e..5f612fbd3b 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -9,6 +9,10 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +# default SAN value if $ENV::SAN is not defined +# +SAN = + # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids @@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ usr_cert_san ] + +# copy of [ usr_cert ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated User Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +subjectAltName=$ENV::SAN + [ server ] # Make a cert with nsCertType=server @@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +[ server_san ] + +# copy of [ server ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::SAN + [ v3_req ] # Extensions to add to a certificate request @@ -267,6 +292,14 @@ basicConstraints = CA:true # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF +[ v3_ca_san ] + +# copy of [ v3_ca ] plus nonempty Subject Alternative Names +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true +subjectAltName=$ENV::SAN + [ crl_ext ] # CRL extensions.