diff options
author | yarick123 <yarick123@users.noreply.github.com> | 2014-08-14 02:15:16 +0200 |
---|---|---|
committer | yarick123 <yarick123@users.noreply.github.com> | 2014-08-14 02:18:32 +0200 |
commit | 3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9 (patch) | |
tree | 33ec90fbe92b49b17c50f6cbacff710379f69e86 /etc/ssl | |
parent | 23ba08fc940b711f3b44551199890dc8e28a63b6 (diff) | |
download | pfsense-3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9.zip pfsense-3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9.tar.gz |
cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':
bugfix #3347: Certificate Authority SAN names not working in 2.1
subjectAltName can be set _only_ via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName.
Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf
Diffstat (limited to 'etc/ssl')
-rw-r--r-- | etc/ssl/openssl.cnf | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index 08b3758..5f612fb 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -9,6 +9,10 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +# default SAN value if $ENV::SAN is not defined +# +SAN = + # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids @@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ usr_cert_san ] + +# copy of [ usr_cert ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated User Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +subjectAltName=$ENV::SAN + [ server ] # Make a cert with nsCertType=server @@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +[ server_san ] + +# copy of [ server ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::SAN + [ v3_req ] # Extensions to add to a certificate request @@ -267,6 +292,14 @@ basicConstraints = CA:true # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF +[ v3_ca_san ] + +# copy of [ v3_ca ] plus nonempty Subject Alternative Names +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true +subjectAltName=$ENV::SAN + [ crl_ext ] # CRL extensions. |