1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
Description: allows creating RSA keys valid for more than one domain by
using the subjectAltName attribute.
Origin: http://www.msquared.id.au/articles/easy-rsa-subjectaltname/
Forwarded: no
Author: Vicente Aguilar <bisente@bisente.com> and Msquared <http://www.msquared.id.au/>
Last-Update: 2012-11-12
Index: easy-rsa/openssl-0.9.6.cnf
===================================================================
--- easy-rsa.orig/openssl-0.9.6.cnf
+++ easy-rsa/openssl-0.9.6.cnf
@@ -191,6 +191,7 @@ keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
@@ -212,6 +213,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
Index: easy-rsa/openssl-0.9.8.cnf
===================================================================
--- easy-rsa.orig/openssl-0.9.8.cnf
+++ easy-rsa/openssl-0.9.8.cnf
@@ -200,6 +200,7 @@ keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
@@ -221,6 +222,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
Index: easy-rsa/pkitool
===================================================================
--- easy-rsa.orig/pkitool
+++ easy-rsa/pkitool
@@ -269,31 +269,37 @@ if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
+ KEY_ALTNAMES="DNS:${KEY_CN}"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
+ KEY_ALTNAMES="$KEY_CN"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" "$KEY_CN"
+ KEY_ALTNAMES="$KEY_CN"
fi
FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using Common Name:" "$KEY_CN"
+ KEY_ALTNAMES="$KEY_CN"
FN="$KEY_CN"
if [ "$1" ]; then
FN="$1"
fi
else
- if [ $# -ne 1 ]; then
- usage
- exit 1
- else
- KEY_CN="$1"
- fi
+ KEY_CN="$1"
+ KEY_ALTNAMES="DNS:$1"
+ shift
+ while [ "x$1" != "x" ]
+ do
+ KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1"
+ shift
+ done
FN="$KEY_CN"
fi
-export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
@@ -305,6 +311,7 @@ if [ $DEBUG -eq 1 ]; then
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
+ echo KEY_ALTNAMES $KEY_ALTNAMES
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
Index: easy-rsa/README.subjectAltName
===================================================================
--- /dev/null
+++ easy-rsa/README.subjectAltName
@@ -0,0 +1,38 @@
+easy-rsa with subjectAltName support
+by Vicente Aguilar <bisente@bisente.com>
+http://www.bisente.com/proyectos/easy-rsa-subjectaltname
+updates by Msquared <http://www.msquared.id.au/>
+http://www.msquared.id.au/articles/easy-rsa-subjectaltname/
+
+
+INTRODUCTION
+============
+
+This is a modified version of OpenVPN's easy-rsa script, that allows you to
+create RSA keys valid for more than one domain by using the subjectAltName
+attribute.
+
+While I don't see this as a good practice when using the certificate for
+identity validation (like in establishing a VPN), it can be useful if you
+have a web server with just one IP address and want to provide HTTPS service
+for several virtual domains without the browser complaining that the site
+domain doesn't match the certificate's domain.
+
+
+USAGE
+=====
+
+Use the script as usual, see README.orig and http://openvpn.net/easyrsa.html.
+If you want to make a key with several domains, just add them as parameters
+on the command line:
+
+ # ./build-key-server www.domain1.com www.domain2.com www.domain3.com
+
+The key's certificate in ./keys/www.domain1.com.crt will contain a section
+like:
+
+ X509v3 Subject Alternative Name:
+ DNS:www.domain1.com, DNS:www.domain2.com, DNS:www.domain3.com
+
+Any modern browser should accept the certificate for all these domains
+without complaining.
Index: easy-rsa/revoke-full
===================================================================
--- easy-rsa.orig/revoke-full
+++ easy-rsa/revoke-full
@@ -20,6 +20,9 @@ if [ "$KEY_DIR" ]; then
export KEY_OU=""
export KEY_NAME=""
+ # required due to hack in openssl.cnf that supports Subject Alternative Names
+ export KEY_ALTNAMES=""
+
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
Index: easy-rsa/openssl-1.0.0.cnf
===================================================================
--- easy-rsa.orig/openssl-1.0.0.cnf
+++ easy-rsa/openssl-1.0.0.cnf
@@ -195,6 +195,7 @@ keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
@@ -216,6 +217,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
|
