From 0b85a5d82ec5c0452b13f1a828669c6cb2835796 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 13 Mar 2024 21:58:07 +0000
Subject: [PATCH] sign-req: Remove default server 'subject alternative name'
 SAN

Default SAN is removed from Easy-RSA.

The default SAN values provided by Easy-RSA are inadequate for purpose.

The default name is the same as 'commonName' and, therefore, not alternate.

The default IP address is a good example of "more is less".

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 2e2e60f07..482934555 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2210,25 +2210,6 @@ basicConstraints is not defined, cannot use 'pathlen'"
 		unset -v ns_cert_type
 	esac
 
-	# If type is server and no subjectAltName was
-	# requested then add one to the extensions file
-	if [ -z "$EASYRSA_EXTRA_EXTS" ]; then
-		# default server SAN
-		case "$crt_type" in
-		server|serverClient)
-			# req san or default server SAN
-			__san="$(display_san req "$req_in")"
-			if [ "$__san" ]; then
-				__san="subjectAltName = $__san"
-			else
-				__san="$(default_server_san "$req_in")"
-			fi
-			[ "$__san" ] || die "No default server SAN!"
-			export EASYRSA_EXTRA_EXTS="$__san"
-			unset -v __san
-		esac
-	fi
-
 	# Generate the extensions file for this cert:
 	ext_tmp=""
 	easyrsa_mktemp ext_tmp || \