sign-req: Remove default server 'subject alternative name' SAN

Default SAN is removed from Easy-RSA. The default SAN values provided by Easy-RSA are inadequate for purpose. The default name is the same as 'commonName' and, therefore, not alternate. The default IP address is a good example of "more is less". Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Mar 13, 2024 · 0b85a5d · 0b85a5d
1 parent 6f45b81
commit 0b85a5d
Showing 1 changed file with 0 additions and 19 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -2210,25 +2210,6 @@ basicConstraints is not defined, cannot use 'pathlen'"
 		unset -v ns_cert_type
 	esac
 
-	# If type is server and no subjectAltName was
-	# requested then add one to the extensions file
-	if [ -z "$EASYRSA_EXTRA_EXTS" ]; then
-		# default server SAN
-		case "$crt_type" in
-		server|serverClient)
-			# req san or default server SAN
-			__san="$(display_san req "$req_in")"
-			if [ "$__san" ]; then
-				__san="subjectAltName = $__san"
-			else
-				__san="$(default_server_san "$req_in")"
-			fi
-			[ "$__san" ] || die "No default server SAN!"
-			export EASYRSA_EXTRA_EXTS="$__san"
-			unset -v __san
-		esac
-	fi
-
 	# Generate the extensions file for this cert:
 	ext_tmp=""
 	easyrsa_mktemp ext_tmp || \