[SOLVED] Internal certificates and Subject Alternative Name

[kei]

Hi,

I've have started with opnsense a week ago and I am very pleased. Great work!
Setting up IPSEC I needed Certificates with Subject Alternative Name set. The GUI provides a great screen for internal certificates with this extension. Unfortunately the resulting certificate does not contain any of the information provided.
Upgrading from 15.1 to 15.7 did not help, so I looked into the source and found the following:

/etc/inc/certs.inc starts with
define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf");

the file exists, but is not picked up anywhere, as php expects this information to be passed in OPENSSL_CONF (see http://php.net/manual/en/openssl.installation.php).

Investigation shows that openssl picks /usr/local/openssl/openssl.cnf

down in function cert_create is the handling of SAN, it appends $cert_type with "_san" to signal openssl the custom information which it puts in the environment. This variable is never read.
Moreover there is no section in openssl.cnf that would react on the environment variable.

I have no build environment and would not want to setup one for this, yet suggest the following changes:
Replace OPEN_SSL_CONF_PATH definition with a comment on where the default openssl.cnf is picked up.

Change  cert_create as follows:

        $ca_serial = ++$ca['serial'];


        $cert_type = "usr_cert";
        // in case of using Subject Alternative Names use other sections (with postfix '_san')
        // pass subjectAltName over environment variable 'SAN'
        if ($dn['subjectAltName']) {
                putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file
                $cert_type .= '_san';
                unset($dn['subjectAltName']);
        }

        $args = array(
                "x509_extensions" => $cert_type,
                "digest_alg" => $digest_alg,

Then add a section to /usr/local/openssl/openssl.cnf after the end of the existing usr_cert section, just duplicating its content and adding 1 line. I have removed here the commented lines.

[ usr_cert_san ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName= $ENV::SAN


I have patched my live system with this and obtained proper certificates with Subject Alternative Name.
I guess this did not get much attention as most of us have CA infrastructure in place elsewhere.

I hope this helps and can make it into some upcoming patch.

Keep up the good work!

Cheers,

Kei

[franco]

Hi kei,

thanks for the detailed report/fix. I remember this code and the reason why we did not keep the overrides for the feature: we split the base system and ports in two and since we did not have a template engine the decided to keep the standard file and see how far we get with it.

We'll put it back with a proper template generation for the SAN extensions (and others). We're tracking this via:
https://github.com/opnsense/core/issues/280


Cheers,
Franco

[franco]

SAN setting is somehow broken in LibreSSL via PHP OpenSSL bindings... need to find a way to rewrite or to get that fixed properly. Debugging info is sparse.

[franco]

This has been shipped recently for OpenSSL and LibreSSL.