Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign-req: Remove default server 'subject alternative name' SAN #1091

Merged
merged 4 commits into from
Mar 15, 2024
Merged

sign-req: Remove default server 'subject alternative name' SAN #1091

merged 4 commits into from
Mar 15, 2024

Conversation

TinCanTech
Copy link
Collaborator

Default SAN is removed from Easy-RSA.

The default SAN values provided by Easy-RSA are inadequate for purpose.

The default name is the same as 'commonName' and, therefore, not alternate.

The default IP address is a good example of "more is less".

@TinCanTech
sign-req: Remove default server 'subject alternative name' SAN
0b85a5d 
Default SAN is removed from Easy-RSA.

The default SAN values provided by Easy-RSA are inadequate for purpose.

The default name is the same as 'commonName' and, therefore, not alternate.

The default IP address is a good example of "more is less".

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Mar 13, 2024
@TinCanTech TinCanTech linked an issue Mar 13, 2024 that may be closed by this pull request
Incorrect SAN is selected for a server named '555.1.1.1' #576
Closed
@TinCanTech TinCanTech added ChangeLog Item Major Changes Changes between Major 3.X version numbers - X is Major labels Mar 13, 2024
@TinCanTech TinCanTech added this to the v3.2.0 milestone Mar 13, 2024
This was referenced Mar 13, 2024
Closed
Closed
@TinCanTech TinCanTech merged commit 1e3f97e into OpenVPN:master Mar 15, 2024
3 checks passed
@TinCanTech
Copy link
Collaborator Author

FTR, renew works without needing default SAN, eg:

$ easyrsa --nopass renew s3
Using Easy-RSA 'vars' configuration:
* /home/tct/git/easy-rsa/test/installed/test D/pki/vars

WARNING
=======
This process is destructive!

These files will be MOVED to the 'renewed' sub-directory:
* /home/tct/git/easy-rsa/test/installed/test D/pki/issued/s3.crt

These files will be DELETED:
All PKCS files for commonName: s3

The inline credentials files:
* /home/tct/git/easy-rsa/test/installed/test D/pki/s3.creds
* /home/tct/git/easy-rsa/test/installed/test D/pki/inline/s3.inline

The duplicate certificate:
* /home/tct/git/easy-rsa/test/installed/test D/pki/certs_by_serial/ABA12C492139A9A494D1198EE75BB5A0.pem


Please confirm you wish to renew the certificate
with the following subject:

  subject=
    commonName                = s3

X509v3 Subject Alternative Name:
    DNS:server3,DNS:swerveur3,IP:2.2.2.2,IP:10.1.1.1

  serial-number: ABA12C492139A9A494D1198EE75BB5A0

Type the word 'yes' to continue, or any other input to abort.
    Continue with renewal:

@BrewTestBot BrewTestBot mentioned this pull request May 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
BUG-FIX ChangeLog Item improvement Major Changes Changes between Major 3.X version numbers - X is Major Version 3.2.0-Release
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.

Incorrect SAN is selected for a server named '555.1.1.1'
1 participant
@TinCanTech