From bb5d6a2fe38f5b97268894d7c5e83c46f3604466 Mon Sep 17 00:00:00 2001 From: Archer Date: Mon, 12 Aug 2024 11:01:31 -0500 Subject: [PATCH 1/4] Add IP option to SAN certificate Signed-off-by: Archer --- _security/configuration/generate-certificates.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/_security/configuration/generate-certificates.md b/_security/configuration/generate-certificates.md index 4e83ff83d1..de410c96b8 100755 --- a/_security/configuration/generate-certificates.md +++ b/_security/configuration/generate-certificates.md @@ -115,13 +115,21 @@ openssl req -new -key node1-key.pem -out node1.csr For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with [RFC 2818 (HTTP Over TLS)](https://datatracker.ietf.org/doc/html/rfc2818). The SAN should match the corresponding CN so that both refer to the same DNS A record. {: .note } -Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host: +Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host. If you're connecting to a host that only has an IP address, use `IP`: + +**No IP** ```bash echo 'subjectAltName=DNS:node1.dns.a-record' > node1.ext ``` -Generate the certificate: +**With IP** + +```bash +echo subjectAltName=IP:127.0.0.1 > node1.ext +``` + +With the DNS A record described, generate the certificate: ```bash openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext From b9810ceaeda24e213455e485a3f87ac08eb0bb2b Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:28:33 -0500 Subject: [PATCH 2/4] Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/configuration/generate-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/configuration/generate-certificates.md b/_security/configuration/generate-certificates.md index de410c96b8..23b76f2c13 100755 --- a/_security/configuration/generate-certificates.md +++ b/_security/configuration/generate-certificates.md @@ -115,7 +115,7 @@ openssl req -new -key node1-key.pem -out node1.csr For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with [RFC 2818 (HTTP Over TLS)](https://datatracker.ietf.org/doc/html/rfc2818). The SAN should match the corresponding CN so that both refer to the same DNS A record. {: .note } -Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host. If you're connecting to a host that only has an IP address, use `IP`: +Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host. If you're connecting to a host that only has an IP address, both IPv4 and IPv6, use the `IP` syntax: **No IP** From 3c4ba7e27bd52f797013d2af6003b7704c46c0e6 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:32:53 -0500 Subject: [PATCH 3/4] Update _security/configuration/generate-certificates.md Co-authored-by: Nathan Bower Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/configuration/generate-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/configuration/generate-certificates.md b/_security/configuration/generate-certificates.md index 23b76f2c13..4146c7a8a0 100755 --- a/_security/configuration/generate-certificates.md +++ b/_security/configuration/generate-certificates.md @@ -115,7 +115,7 @@ openssl req -new -key node1-key.pem -out node1.csr For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with [RFC 2818 (HTTP Over TLS)](https://datatracker.ietf.org/doc/html/rfc2818). The SAN should match the corresponding CN so that both refer to the same DNS A record. {: .note } -Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host. If you're connecting to a host that only has an IP address, both IPv4 and IPv6, use the `IP` syntax: +Before generating a signed certificate, create a SAN extension file that describes the DNS A record for the host. If you're connecting to a host that only has an IP address, either IPv4 and IPv6, use the `IP` syntax: **No IP** From 365c69e340d3af4531a48c461c202ea4c36886cf Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:34:33 -0500 Subject: [PATCH 4/4] Update _security/configuration/generate-certificates.md Co-authored-by: Nathan Bower Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/configuration/generate-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/configuration/generate-certificates.md b/_security/configuration/generate-certificates.md index 4146c7a8a0..2316fd33be 100755 --- a/_security/configuration/generate-certificates.md +++ b/_security/configuration/generate-certificates.md @@ -115,7 +115,7 @@ openssl req -new -key node1-key.pem -out node1.csr For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with [RFC 2818 (HTTP Over TLS)](https://datatracker.ietf.org/doc/html/rfc2818). The SAN should match the corresponding CN so that both refer to the same DNS A record. {: .note } -Before generating a signed certificate, create a SAN extension file that describes the DNS A record for the host. If you're connecting to a host that only has an IP address, either IPv4 and IPv6, use the `IP` syntax: +Before generating a signed certificate, create a SAN extension file that describes the DNS A record for the host. If you're connecting to a host that only has an IP address, either IPv4 or IPv6, use the `IP` syntax: **No IP**