Looks like a good start - but missing support for alt-names / SAN.

Question

Looks like a good start - but missing support for alt-names / SAN.

skx opened this issue 9 years ago · comments

I'm currently using something based upon CA-baka, and am looking for a new implementation before my existing certificates all start to expire.

One thing your project is missing is support for SAN, which would allow me to generate a certificate for multiple hostnames. For example right now I do this kind of thing:

  ./CA-baka --workdir CA/ --newserver dhcp webmaster\@dhcp.io --altnames DNS:dhcp.io --altnames DNS:www.dhcp.io --altnames DNS:pxe.io --altnames DNS:www.pxe.io

That gives me a certificate for the names:

pxe.io
www.pxe.io
dhcp.io
www.dhcp.io

Adding support for this is a bit fiddly because you essentially have to write a small openssl configuration-file with a snippet for each name:

DNS=foo.example.com
DNS=bar.example.com
DNS=www.example.com

Richard Terry · Answer 1 · Thu Aug 20 2015 22:04:25 GMT+0800 (China Standard Time)

Thanks for raising this - I had thought about adding SAN support, but never got round to looking into it. Having had a quick google though, it actually doesn't look like it would be too painful to implement - we could change the syntax of new to ./caman new <hostname> [--oun=oun] [<hostname> ...], then add it to the host configs.

Steve Kemp · Answer 2 · Thu Aug 20 2015 22:06:24 GMT+0800 (China Standard Time)

The syntax you suggest seems natural:

  ./camen new $primary $secondary $tertiary

I guess there doesn't need to be a flag added to make it happen, in this case.

Richard Terry · Answer 3 · Fri Aug 21 2015 02:34:48 GMT+0800 (China Standard Time)

I've added SAN support; it all looks fine, but I haven't yet had a chance to confirm the certificates work properly, so it's on the san branch for now. Any feedback would be appreciated.

I dropped the OUN argument from new altogether for the simpler syntax; I imagine in most situations hostnames can share an OUN. If people find this is a problem I can look at adding it back as an optional argument.

Steve Kemp · Answer 4 · Fri Aug 21 2015 02:39:48 GMT+0800 (China Standard Time)

Thanks for your prompt attention! A quick glance at the single new commit didn't spot any obvious problems.

Unless you beat me to it I'll checkout the code and give it a test run tomorrow, then update you.

Steve Kemp · Answer 5 · Fri Aug 21 2015 03:35:54 GMT+0800 (China Standard Time)

Update - I couldn't resist. I created a request like so:

   ./caman new dhcp.io www.dhcp.io pxe.io www.pxe.io

I then see an invalid warning because only three of the names are valid:

  The certificate is only valid for the following names:
  www.dhcp.io, pxe.io, www.pxe.io

Not a big deal to regard the first name as a label, not an included name. I guess this would work:

 ./caman new dhcp-cert dhcp.io www.dhcp.io pxe.io www.pxe.io

Richard Terry · Answer 6 · Fri Aug 21 2015 04:29:04 GMT+0800 (China Standard Time)

Ah, the main hostname needs to be listed in the subjectAltName too. Should be easy enough fix.

Richard Terry · Answer 7 · Fri Aug 21 2015 05:56:38 GMT+0800 (China Standard Time)

Think that commit should fix it - I've tested cert generation, but still not the certs themselves.

Steve Kemp · Answer 8 · Fri Aug 21 2015 13:33:54 GMT+0800 (China Standard Time)

That update fixes things, thanks a lot!

Richard Terry · Answer 9 · Fri Aug 21 2015 16:08:02 GMT+0800 (China Standard Time)

Great, that's merged to main as v0.2.0. Thanks for the help!