diff options
author | yarick123 <yarick123@users.noreply.github.com> | 2014-08-14 02:15:16 +0200 |
---|---|---|
committer | yarick123 <yarick123@users.noreply.github.com> | 2014-08-14 02:18:32 +0200 |
commit | 3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9 (patch) | |
tree | 33ec90fbe92b49b17c50f6cbacff710379f69e86 /etc | |
parent | 23ba08fc940b711f3b44551199890dc8e28a63b6 (diff) | |
download | pfsense-3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9.zip pfsense-3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9.tar.gz |
cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':
bugfix #3347: Certificate Authority SAN names not working in 2.1
subjectAltName can be set _only_ via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName.
Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/certs.inc | 8 | ||||
-rw-r--r-- | etc/ssl/openssl.cnf | 33 |
2 files changed, 41 insertions, 0 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index a1397b8..8df3e5d 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -293,6 +293,14 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di break; } + // in case of using Subject Alternative Names use other sections (with postfix '_san') + // pass subjectAltName over environment variable 'SAN' + if ($dn['subjectAltName']) { + putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file + $cert_type .= '_san'; + unset($dn['subjectAltName']); + } + $args = array( "x509_extensions" => $cert_type, "digest_alg" => $digest_alg, diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index 08b3758..5f612fb 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -9,6 +9,10 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +# default SAN value if $ENV::SAN is not defined +# +SAN = + # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids @@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ usr_cert_san ] + +# copy of [ usr_cert ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated User Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +subjectAltName=$ENV::SAN + [ server ] # Make a cert with nsCertType=server @@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +[ server_san ] + +# copy of [ server ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::SAN + [ v3_req ] # Extensions to add to a certificate request @@ -267,6 +292,14 @@ basicConstraints = CA:true # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF +[ v3_ca_san ] + +# copy of [ v3_ca ] plus nonempty Subject Alternative Names +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true +subjectAltName=$ENV::SAN + [ crl_ext ] # CRL extensions. |