OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: loganx1121 on September 30, 2022, 09:18:00 pm

Title: Subject alternative names on certs broken?
Post by: loganx1121 on September 30, 2022, 09:18:00 pm
I run 3 firewalls at different locations and each has an OpenVPN server running.  On all of them the cert for the OpenVPN server has a SAN, and the SAN is the dynamic DNS entry for each site.  Everything works except 1 OpenVPN at 1 site, so I figured I'd just redo it all.

In redoing it, I noticed the SAN no longer shows up.  This used to work.  The OpenVPN servers were all setup like a year ago.  At one site I have several servers using SAN for their server certificates, all issued by the firewall at that site.  This seems to just be broken.  I can't get a SAN on any server cert generated by any of the 3 firewalls anymore.

Title: Re: Subject alternative names on certs broken?
Post by: Fright on October 01, 2022, 09:02:09 am
subjectAltName extension is fine and added to the certificate as before (you can see this by clicking on the "i" button and looking at the cert info). it's just that the extension is no longer added to the subject of the certificate (since 21.7 if I remember correctly)
Title: Re: Subject alternative names on certs broken?
Post by: i81b4u on October 02, 2022, 01:24:29 pm
Some background on SAN, for those who are interested.

The most straight forward type of certificate will have only 1 fqdn and even there you will find that the besides the subject you will also find a SAN entry of type DNS with the same fqdn.

The following code snippets extract the certificate from a website and show the subject name and SAN DNS names.

Code: [Select]
echo | openssl s_client -servername forum.opnsense.org -connect forum.opnsense.org:443 2>&- | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ { print $0 }' | openssl x509 -in - -noout -text | grep "Subject:\|DNS:" | sed 's/^[[:space:]]*//'
Subject: CN = forum.opnsense.org
DNS:forum.opnsense.org



Certificates can have more than one fqdn and this will always result in exactly one fqdn ending up being the subject whereas all fqdn's will be added to the SAN-section of the certificate, even the fqdn that is used as the subject.
I've even seen certificates with a subject not used in the SAN-section at all, but while that also works (as long as you don't use the subject name), I would not recommend that for normal use.

Code: [Select]
echo | openssl s_client -servername letsencrypt.com -connect letsencrypt.com:443 2>&- | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ { print $0 }' | openssl x509 -in - -noout -text | grep "Subject:\|DNS:" | sed 's/^[[:space:]]*//'
Subject: CN = lencr.org
DNS:lencr.org, DNS:letsencrypt.com, DNS:letsencrypt.org, DNS:www.lencr.org, DNS:www.letsencrypt.com, DNS:www.letsencrypt.org



For those who are interested in reading some more about the "Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates", here's a link to the latest information: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf).
Title: Re: Subject alternative names on certs broken?
Post by: loganx1121 on October 02, 2022, 04:07:36 pm
Ok thanks for all the replies.  I do see now where the SAN is in the cert.