summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-08-29 10:09:25 -0300
committerRenato Botelho <garga@FreeBSD.org>2014-08-29 10:09:25 -0300
commit985ed11c5457dee4190d98678a6ff17cb5751f2b (patch)
treea6d1eea7dfb72ffeaac7fb08265938aa3de8d8d8 /etc
parentb0473447877582562f15d7086f645af28183ce33 (diff)
parent3cb773da77e9412e96d7ebeb9cdefb5a195bfdd9 (diff)
downloadpfsense-985ed11c5457dee4190d98678a6ff17cb5751f2b.zip
pfsense-985ed11c5457dee4190d98678a6ff17cb5751f2b.tar.gz
Merge pull request #1258 from yarick123/master
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/certs.inc8
-rw-r--r--etc/ssl/openssl.cnf33
2 files changed, 41 insertions, 0 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index a1397b8..8df3e5d 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -293,6 +293,14 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
break;
}
+ // in case of using Subject Alternative Names use other sections (with postfix '_san')
+ // pass subjectAltName over environment variable 'SAN'
+ if ($dn['subjectAltName']) {
+ putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file
+ $cert_type .= '_san';
+ unset($dn['subjectAltName']);
+ }
+
$args = array(
"x509_extensions" => $cert_type,
"digest_alg" => $digest_alg,
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf
index 08b3758..5f612fb 100644
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@@ -9,6 +9,10 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
+# default SAN value if $ENV::SAN is not defined
+#
+SAN =
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
@@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always
#nsCaPolicyUrl
#nsSslServerName
+[ usr_cert_san ]
+
+# copy of [ usr_cert ] plus nonempty Subject Alternative Names
+basicConstraints=CA:FALSE
+nsComment = "OpenSSL Generated User Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+subjectAltName=$ENV::SAN
+
[ server ]
# Make a cert with nsCertType=server
@@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+[ server_san ]
+
+# copy of [ server ] plus nonempty Subject Alternative Names
+basicConstraints=CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::SAN
+
[ v3_req ]
# Extensions to add to a certificate request
@@ -267,6 +292,14 @@ basicConstraints = CA:true
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
+[ v3_ca_san ]
+
+# copy of [ v3_ca ] plus nonempty Subject Alternative Names
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+subjectAltName=$ENV::SAN
+
[ crl_ext ]
# CRL extensions.
OpenPOWER on IntegriCloud