Subject-Alt-Name: Correct behavior of global option --san

--san|--subject-alt-name current behavior is to append any value to EASYRSA_EXTRA_EXTS and repeatedly insert OpenSSL label 'subjectAltName'. This label should be specified once only. This change leaves EASYRSA_EXTRA_EXTS completely unchanged and outside of EasyRSA scope. This is done due to the lack of definition as to what EASYRSA_EXTRA_EXTS external definition is intended for. EASYRSA_EXTRA_EXTS is still used by command 'renew' but only for SAN. Create 'EASYRSA_SAN' for explicit subjectAltName use. This change correctly formats EASYRSA_SAN, to only begin with the label 'subjectAltName = ' and append user SAN values to that string. Example Command line: --san=DNS:server3 --san=DNS:swerveur3 --san=IP:10.2.2.2 --san=IP:10.1.1.1 --nopass build-server-full s3 Resulting certificate: X509v3 Subject Alternative Name: DNS:server3, DNS:swerveur3, IP Address:10.2.2.2, IP Address:10.1.1.1 The originally required command string: --san=DNS:server3,DNS:swerveur3,IP:10.2.2.2,IP:10.1.1.1 build-server-full s3 is also still supported. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Mar 16, 2024 · 4893c1f · 4893c1f
1 parent f6a6e75
commit 4893c1f
Showing 1 changed file with 16 additions and 7 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -400,9 +400,12 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
 
       This global option adds a subjectAltName to the request or issued
       certificate. It MUST be in a valid format accepted by openssl or
-      req/cert generation will fail. Note that including multiple such
-      names requires them to be comma-separated; further invocations of
-      this option will REPLACE the value.
+      req/cert generation will fail. NOTE: --san can be specified more
+      than once on the command line.
+
+      The following two command line examples are equivalent:
+      1. --san=DNS:server1,DNS:serverA,IP:10.0.0.1
+      2. --san=DNS:server1 --san=DNS:serverA --san=IP:10.0.0.1
 
       Examples of the SAN_FORMAT_STRING shown below:
 
@@ -2228,8 +2231,12 @@ basicConstraints is not defined, cannot use 'pathlen'"
 			print "nsComment = \"$EASYRSA_NS_COMMENT\""
 		fi
 
+		# SAN extension
+		if [ "$EASYRSA_SAN" ]; then
+			print "$EASYRSA_SAN"
+		fi
+
 		# Add user supplied extra extensions
-		# and/or SAN extension
 		if [ "$EASYRSA_EXTRA_EXTS" ]; then
 			print "$EASYRSA_EXTRA_EXTS"
 		fi
@@ -5388,9 +5395,11 @@ while :; do
 		export EASYRSA_CP_EXT=1
 		;;
 	--subject-alt-name|--san)
-		export EASYRSA_EXTRA_EXTS="\
-$EASYRSA_EXTRA_EXTS
-subjectAltName = $val"
+		if [ "$EASYRSA_SAN" ]; then
+			export EASYRSA_SAN="$EASYRSA_SAN, $val"
+		else
+			export EASYRSA_SAN="subjectAltName = $val"
+		fi
 		;;
 	--usefn)
 		export EASYRSA_P12_FR_NAME="$val"