cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':

bugfix #3347: Certificate Authority SAN names not working in 2.1 subjectAltName can be set _only_ via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName. Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf
2014-08-14 02:15:16 +02:00 · 2014-08-14 02:15:16 +02:00 · 3cb773da77
parent 23ba08fc94
commit 3cb773da77
2 changed files with 41 additions and 0 deletions
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@ -293,6 +293,14 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
 			break;
 	}

+	// in case of using Subject Alternative Names use other sections (with postfix '_san')
+	// pass subjectAltName over environment variable 'SAN'
+	if ($dn['subjectAltName']) {
+		putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file
+		$cert_type .= '_san';
+		unset($dn['subjectAltName']);
+	}
+
 	$args = array(
 		"x509_extensions" => $cert_type,
 		"digest_alg" => $digest_alg,
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@ -9,6 +9,10 @@
 HOME                    = .
 RANDFILE                = $ENV::HOME/.rnd

+# default SAN value if $ENV::SAN is not defined
+#
+SAN                     =
+
 # Extra OBJECT IDENTIFIER info:
 #oid_file               = $ENV::HOME/.oid
 oid_section             = new_oids
@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always
 #nsCaPolicyUrl
 #nsSslServerName

+[ usr_cert_san ]
+
+# copy of [ usr_cert ] plus nonempty Subject Alternative Names
+basicConstraints=CA:FALSE
+nsComment                       = "OpenSSL Generated User Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+subjectAltName=$ENV::SAN
+
 [ server ]

 # Make a cert with nsCertType=server
@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always
 extendedKeyUsage=serverAuth
 keyUsage = digitalSignature, keyEncipherment

+[ server_san ]
+
+# copy of [ server ] plus nonempty Subject Alternative Names
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::SAN
+
 [ v3_req ]

 # Extensions to add to a certificate request
@ -267,6 +292,14 @@ basicConstraints = CA:true
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF

+[ v3_ca_san ]
+
+# copy of [ v3_ca ] plus nonempty Subject Alternative Names
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+subjectAltName=$ENV::SAN
+
 [ crl_ext ]

 # CRL extensions.