Looks like a good start - but missing support for alt-names / SAN.
skx opened this issue · comments
I'm currently using something based upon CA-baka, and am looking for a new implementation before my existing certificates all start to expire.
One thing your project is missing is support for SAN, which would allow me to generate a certificate for multiple hostnames. For example right now I do this kind of thing:
./CA-baka --workdir CA/ --newserver dhcp webmaster\@dhcp.io --altnames DNS:dhcp.io --altnames DNS:www.dhcp.io --altnames DNS:pxe.io --altnames DNS:www.pxe.io
That gives me a certificate for the names:
- pxe.io
- www.pxe.io
- dhcp.io
- www.dhcp.io
Adding support for this is a bit fiddly because you essentially have to write a small openssl configuration-file with a snippet for each name:
DNS=foo.example.com
DNS=bar.example.com
DNS=www.example.com
Thanks for raising this - I had thought about adding SAN support, but never got round to looking into it. Having had a quick google though, it actually doesn't look like it would be too painful to implement - we could change the syntax of new
to ./caman new <hostname> [--oun=oun] [<hostname> ...]
, then add it to the host configs.
The syntax you suggest seems natural:
./camen new $primary $secondary $tertiary
I guess there doesn't need to be a flag added to make it happen, in this case.
I've added SAN support; it all looks fine, but I haven't yet had a chance to confirm the certificates work properly, so it's on the san
branch for now. Any feedback would be appreciated.
I dropped the OUN argument from new
altogether for the simpler syntax; I imagine in most situations hostnames can share an OUN. If people find this is a problem I can look at adding it back as an optional argument.
Thanks for your prompt attention! A quick glance at the single new commit didn't spot any obvious problems.
Unless you beat me to it I'll checkout the code and give it a test run tomorrow, then update you.
Update - I couldn't resist. I created a request like so:
./caman new dhcp.io www.dhcp.io pxe.io www.pxe.io
I then see an invalid warning because only three of the names are valid:
The certificate is only valid for the following names:
www.dhcp.io, pxe.io, www.pxe.io
Not a big deal to regard the first name as a label, not an included name. I guess this would work:
./caman new dhcp-cert dhcp.io www.dhcp.io pxe.io www.pxe.io
Ah, the main hostname needs to be listed in the subjectAltName
too. Should be easy enough fix.
Think that commit should fix it - I've tested cert generation, but still not the certs themselves.
That update fixes things, thanks a lot!
Great, that's merged to main as v0.2.0. Thanks for the help!