No subjectAltName in Icinga CA created CSRs #5194
Comments
|
For reference: https://mta.openssl.org/pipermail/openssl-users/2016-January/002764.html - seems openssl itself doesn't use that info from CSRs itself too. If you want to come up with a fix:
|
|
Looks like we're not currently setting SANs for CSRs. Out of curiosity, what's your use case for this? |
|
The last Chrome update marks all certificates red (unsecure) which do not have the SAN set. We are using the Chrome Multi Status Plugin which queries the api and that certificate does not have set the SAN. That's the reason. |
|
I noticed that issue with an internal site in the last days. Chromium warns about "Subject Alternative Name Missing" Reference: https://bugs.chromium.org/p/chromium/issues/detail?id=308330 The explanation is rather interesting:
|
|
Understood, thanks for the details. |
Hello,
if I create a new CSR with
icinga2 pki new-cert --cn "hostname.test.de" --key "testhost.key" --csr "testhost.csr"
and have a look in the created CSR I don't see that subjectAltName is filled with the cn.
I expect something like this in the CSR:
X509v3 Subject Alternative Name:
DNS:hostname.test.de
I found some code (line 509) in
https://github.com/Icinga/icinga2/blob/master/lib/base/tlsutility.cpp
which I think should add the SAN to the certificate but it's not.
I found also an issue which is already closed:
#4103
I tried that with Icinga 2.6.3 on CentOS7 and also on Ubuntu 16.04.
Also setting up a complete new environment doesn't create the SAN.
Maybe I did something wrong or there is a missing switch but I cannot add the SAN.
Greetings
Christoph
The text was updated successfully, but these errors were encountered: