cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':
bugfix #3347: Certificate Authority SAN names not working in 2.1 subjectAltName can be set _only_ via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName. Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf
This commit is contained in:
parent
23ba08fc94
commit
3cb773da77
|
@ -293,6 +293,14 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
|
|||
break;
|
||||
}
|
||||
|
||||
// in case of using Subject Alternative Names use other sections (with postfix '_san')
|
||||
// pass subjectAltName over environment variable 'SAN'
|
||||
if ($dn['subjectAltName']) {
|
||||
putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file
|
||||
$cert_type .= '_san';
|
||||
unset($dn['subjectAltName']);
|
||||
}
|
||||
|
||||
$args = array(
|
||||
"x509_extensions" => $cert_type,
|
||||
"digest_alg" => $digest_alg,
|
||||
|
|
|
@ -9,6 +9,10 @@
|
|||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# default SAN value if $ENV::SAN is not defined
|
||||
#
|
||||
SAN =
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
@ -212,6 +216,15 @@ authorityKeyIdentifier=keyid,issuer:always
|
|||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ usr_cert_san ]
|
||||
|
||||
# copy of [ usr_cert ] plus nonempty Subject Alternative Names
|
||||
basicConstraints=CA:FALSE
|
||||
nsComment = "OpenSSL Generated User Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
subjectAltName=$ENV::SAN
|
||||
|
||||
[ server ]
|
||||
|
||||
# Make a cert with nsCertType=server
|
||||
|
@ -223,6 +236,18 @@ authorityKeyIdentifier=keyid,issuer:always
|
|||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ server_san ]
|
||||
|
||||
# copy of [ server ] plus nonempty Subject Alternative Names
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "OpenSSL Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
subjectAltName=$ENV::SAN
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
@ -267,6 +292,14 @@ basicConstraints = CA:true
|
|||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ v3_ca_san ]
|
||||
|
||||
# copy of [ v3_ca ] plus nonempty Subject Alternative Names
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
basicConstraints = CA:true
|
||||
subjectAltName=$ENV::SAN
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
|
|
Reference in New Issue