diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-08-29 10:09:25 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-08-29 10:09:25 -0300 |
commit | 985ed11c5457dee4190d98678a6ff17cb5751f2b (patch) | |
tree | a6d1eea7dfb72ffeaac7fb08265938aa3de8d8d8 /etc | |
parent | b0473447877582562f15d7086f645af28183ce33 (diff) | |
parent | 3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9 (diff) | |
download | pfsense-985ed11c5457dee4190d98678a6ff17cb5751f2b.zip pfsense-985ed11c5457dee4190d98678a6ff17cb5751f2b.tar.gz |
Merge pull request #1258 from yarick123/master
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/certs.inc | 8 | ||||
-rw-r--r-- | etc/ssl/openssl.cnf | 33 |
2 files changed, 41 insertions, 0 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index a1397b8..8df3e5d 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -293,6 +293,14 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di break; } + // in case of using Subject Alternative Names use other sections (with postfix '_san') + // pass subjectAltName over environment variable 'SAN' + if ($dn['subjectAltName']) { + putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file + $cert_type .= '_san'; + unset($dn['subjectAltName']); + } + $args = array( "x509_extensions" => $cert_type, "digest_alg" => $digest_alg, diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index 08b3758..5f612fb 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -9,6 +9,10 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +# default SAN value if $ENV::SAN is not defined +# +SAN = + # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids @@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ usr_cert_san ] + +# copy of [ usr_cert ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated User Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +subjectAltName=$ENV::SAN + [ server ] # Make a cert with nsCertType=server @@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +[ server_san ] + +# copy of [ server ] plus nonempty Subject Alternative Names +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::SAN + [ v3_req ] # Extensions to add to a certificate request @@ -267,6 +292,14 @@ basicConstraints = CA:true # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF +[ v3_ca_san ] + +# copy of [ v3_ca ] plus nonempty Subject Alternative Names +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true +subjectAltName=$ENV::SAN + [ crl_ext ] # CRL extensions. |