From 379581d7cf49770d2f7753277e5348db218cb2f6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 10 Mar 2024 18:18:53 +0000 Subject: [PATCH 1/3] Subject-Alt-Name: Correct behavior of global option --san --san|--subject-alt-name current behavior is currently incorrect. Appending any value to EASYRSA_EXTRA_EXTS repeatedly inserts OpenSSL label 'subjectAltName = ' when this label should be specified once only. This change correctly formats EASYRSA_EXTRA_EXTS, to only begin with the label 'subjectAltName = ' and append user values to that string. Example Command line: --san=DNS:server3 --san=DNS:swerveur3 --san=IP:10.2.2.2 --san=IP:10.1.1.1 --nopass build-server-full s3 Resulting certificate: X509v3 Subject Alternative Name: DNS:server3, DNS:swerveur3, IP Address:10.2.2.2, IP Address:10.1.1.1 The originally required command string: --san=DNS:server3,DNS:swerveur3,IP:10.2.2.2,IP:10.1.1.1 build-server-full s3 is also still supported. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 2e2e60f07..a288818b8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5445,9 +5445,12 @@ while :; do export EASYRSA_CP_EXT=1 ;; --subject-alt-name|--san) - export EASYRSA_EXTRA_EXTS="\ -$EASYRSA_EXTRA_EXTS -subjectAltName = $val" + if [ "$EASYRSA_EXTRA_EXTS" ]; then + # Append: ",$val" + export EASYRSA_EXTRA_EXTS="$EASYRSA_EXTRA_EXTS,$val" + else + export EASYRSA_EXTRA_EXTS="subjectAltName = $val" + fi ;; --usefn) export EASYRSA_P12_FR_NAME="$val" From 822f2c1c925ea1802d1b439708861f9fadd9e3a7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 10 Mar 2024 19:15:41 +0000 Subject: [PATCH 2/3] Subject-Alt-Name: Update 'help san': Allow multiple --san instances Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a288818b8..74c0e30f0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -400,9 +400,12 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" This global option adds a subjectAltName to the request or issued certificate. It MUST be in a valid format accepted by openssl or - req/cert generation will fail. Note that including multiple such - names requires them to be comma-separated; further invocations of - this option will REPLACE the value. + req/cert generation will fail. NOTE: --san can be specified more + than once on the command line. + + The following two command line examples are equivalent: + 1. --san=DNS:server1,DNS:serverA,IP:10.0.0.1 + 2. --san=DNS:server1 --san=DNS:serverA --san=IP:10.0.0.1 Examples of the SAN_FORMAT_STRING shown below: From e8bac27d3a37ab3c72ca63f580b4141ee6fd3398 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 10 Mar 2024 19:20:05 +0000 Subject: [PATCH 3/3] ChangeLog: Subject-Alt-Name: Allow multiple --san instances Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 0b693c52f..68e790ff3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Subject-Alt-Name: Allow multiple --san instances (379581d) (#1086) * Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080) * export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a) (#1084 - Based on #1081)