From eb601ab4cc02392b4b729f0a0d6d63a18e5803ac Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Tue, 24 Nov 2015 15:20:52 +0200
Subject: [PATCH] Sign to the short fqdn, add alternative names, correct tests.

---
 Makefile | 16 ++++++++--------
 ssl-ca   |  8 ++++++--
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/Makefile b/Makefile
index 571ada8..1b7d0e0 100644
--- a/Makefile
+++ b/Makefile
@@ -14,17 +14,17 @@ test: clean
 	./ssl-ca gen www
 	test "$$(openssl rsa -noout -check -in keys/www)" = "RSA key ok"
 	openssl verify -CAfile CA.crt certs/www
-	test "$$(openssl x509 -in certs/www -issuer -noout)" = "issuer= /CN=*.*.ssl-ca"
-	test "$$(openssl x509 -in certs/www -subject -noout)" = "subject= /CN=*.*.www.ssl-ca"
+	test "$$(openssl x509 -in certs/www -issuer -noout)" = "issuer= /CN=ssl-ca"
+	test "$$(openssl x509 -in certs/www -subject -noout)" = "subject= /CN=www.ssl-ca"
 	openssl genrsa -out keys/smtp
 	./ssl-ca sign
 	openssl verify -CAfile CA.crt certs/smtp
-	test "$$(openssl x509 -in certs/smtp -issuer -noout)" = "issuer= /CN=*.*.ssl-ca"
-	test "$$(openssl x509 -in certs/smtp -subject -noout)" = "subject= /CN=*.*.smtp.ssl-ca"
+	test "$$(openssl x509 -in certs/smtp -issuer -noout)" = "issuer= /CN=ssl-ca"
+	test "$$(openssl x509 -in certs/smtp -subject -noout)" = "subject= /CN=smtp.ssl-ca"
 	./ssl-ca resign
 	openssl verify -CAfile CA.crt certs/www
 	openssl verify -CAfile CA.crt certs/smtp
-	test "$$(openssl x509 -in certs/www -issuer -noout)" = "issuer= /CN=*.*.ssl-ca"
-	test "$$(openssl x509 -in certs/www -subject -noout)" = "subject= /CN=*.*.www.ssl-ca"
-	test "$$(openssl x509 -in certs/smtp -issuer -noout)" = "issuer= /CN=*.*.ssl-ca"
-	test "$$(openssl x509 -in certs/smtp -subject -noout)" = "subject= /CN=*.*.smtp.ssl-ca"
+	test "$$(openssl x509 -in certs/www -issuer -noout)" = "issuer= /CN=ssl-ca"
+	test "$$(openssl x509 -in certs/www -subject -noout)" = "subject= /CN=www.ssl-ca"
+	test "$$(openssl x509 -in certs/smtp -issuer -noout)" = "issuer= /CN=ssl-ca"
+	test "$$(openssl x509 -in certs/smtp -subject -noout)" = "subject= /CN=smtp.ssl-ca"
diff --git a/ssl-ca b/ssl-ca
index 49a036b..8351a4f 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -1,7 +1,6 @@
 #!/bin/sh -e
 
 test $(which openssl) || ( echo "Can't find openssl."; exit 1)
-export domain="$(basename $PWD)"
 seed="$(hexdump -n10 -e '10/1 "%02o" "\n"' /dev/urandom)"
 config=\
 "[ ca ]
@@ -33,13 +32,15 @@ RANDFILE = /dev/urandom
 #O = Organization name
 #OU = Organizational unit
 #emailAddress = email address
-CN = *.*.\${ENV::domain}
+CN = \${ENV::domain}
 
 [ v3_ca ]
 basicConstraints = CA:true
+subjectAltName = DNS:*.\${ENV::domain}, DNS:*.*.\${ENV::domain}
 
 [ v3_req ]
 basicConstraints = CA:false
+subjectAltName = DNS:*.\${ENV::domain}
 "
 
 usage () {
@@ -47,6 +48,7 @@ usage () {
 }
 
 init () {
+    export domain="$(basename $PWD)"
     mkdir -p certs keys
     if [ -e openssl.cnf ]
     then
@@ -92,6 +94,7 @@ sign_key () {
     openssl req \
         -key keys/$1 \
         -new \
+        -reqexts v3_req \
         -config openssl.cnf \
         -out "$csr"
     openssl x509 \
@@ -101,6 +104,7 @@ sign_key () {
         -CA CA.crt \
         -set_serial $seed \
         -extensions v3_req \
+        -extfile openssl.cnf \
         -CAkey CA.key
     rm "$csr"
 }
-- 
GitLab