diff -urN easy-rsa-2.0/openssl-0.9.6.cnf easy-rsa-2.0-SAN/openssl-0.9.6.cnf --- easy-rsa-2.0/openssl-0.9.6.cnf 2006-04-13 18:20:43.000000000 +0800 +++ easy-rsa-2.0-SAN/openssl-0.9.6.cnf 2010-02-18 14:21:04.000000000 +0800 @@ -190,6 +190,7 @@ # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES # Copy subject details # issuerAltName=issuer:copy @@ -211,6 +212,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES [ v3_req ] diff -urN easy-rsa-2.0/openssl.cnf easy-rsa-2.0-SAN/openssl.cnf --- easy-rsa-2.0/openssl.cnf 2008-10-28 14:42:02.000000000 +0900 +++ easy-rsa-2.0-SAN/openssl.cnf 2010-02-18 13:51:50.000000000 +0800 @@ -199,6 +199,7 @@ # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES # Copy subject details # issuerAltName=issuer:copy @@ -220,6 +221,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES [ v3_req ] diff -urN easy-rsa-2.0/pkitool easy-rsa-2.0-SAN/pkitool --- easy-rsa-2.0/pkitool 2009-05-31 05:38:49.000000000 +0800 +++ easy-rsa-2.0-SAN/pkitool 2010-02-18 14:36:43.000000000 +0800 @@ -250,31 +250,42 @@ if [ -z "$KEY_CN" ]; then if [ "$1" ]; then KEY_CN="$1" + KEY_ALTNAMES="DNS:${KEY_CN}" elif [ "$KEY_ORG" ]; then KEY_CN="$KEY_ORG CA" + KEY_ALTNAMES="$KEY_CN" fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using CA Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" fi FN="$KEY_CN" elif [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" FN="$KEY_CN" if [ "$1" ]; then FN="$1" fi else - if [ $# -ne 1 ]; then + if [ $# -eq 0 ]; then usage exit 1 else KEY_CN="$1" + KEY_ALTNAMES="DNS:$1" + shift + while [ "x$1" != "x" ] + do + KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1" + shift + done fi FN="$KEY_CN" fi -export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES # Show parameters (debugging) if [ $DEBUG -eq 1 ]; then @@ -286,6 +297,7 @@ echo NODES_P12 $NODES_P12 echo DO_P12 $DO_P12 echo KEY_CN $KEY_CN + echo KEY_ALTNAMES $KEY_ALTNAMES echo BATCH $BATCH echo DO_ROOT $DO_ROOT echo KEY_EXPIRE $KEY_EXPIRE diff -urN easy-rsa-2.0/README.subjectAltName easy-rsa-2.0-SAN/README.subjectAltName --- easy-rsa-2.0/README.subjectAltName 1970-01-01 08:00:00.000000000 +0800 +++ easy-rsa-2.0-SAN/README.subjectAltName 2011-01-07 15:39:31.000000000 +0800 @@ -0,0 +1,38 @@ +easy-rsa with subjectAltName support +by Vicente Aguilar +http://www.bisente.com/proyectos/easy-rsa-subjectaltname +updates by Msquared +http://www.msquared.id.au/articles/easy-rsa-subjectaltname/ + + +INTRODUCTION +============ + +This is a modified version of OpenVPN's easy-rsa script, that allows you to +create RSA keys valid for more than one domain by using the subjectAltName +attribute. + +While I don't see this as a good practice when using the certificate for +identity validation (like in establishing a VPN), it can be useful if you +have a web server with just one IP address and want to provide HTTPS service +for several virtual domains without the browser complaining that the site +domain doesn't match the certificate's domain. + + +USAGE +===== + +Use the script as usual, see README.orig and http://openvpn.net/easyrsa.html. +If you want to make a key with several domains, just add them as parameters +on the command line: + + # ./build-key-server www.domain1.com www.domain2.com www.domain3.com + +The key's certificate in ./keys/www.domain1.com.crt will contain a section +like: + + X509v3 Subject Alternative Name: + DNS:www.domain1.com, DNS:www.domain2.com, DNS:www.domain3.com + +Any modern browser should accept the certificate for all these domains +without complaining. diff -urN easy-rsa-2.0/revoke-full easy-rsa-2.0-SAN/revoke-full --- easy-rsa-2.0/revoke-full 2008-11-03 22:11:23.000000000 +0900 +++ easy-rsa-2.0-SAN/revoke-full 2011-01-07 15:41:52.000000000 +0800 @@ -20,6 +20,9 @@ export KEY_OU="" export KEY_NAME="" + # required due to hack in openssl.cnf that supports Subject Alternative Names + export KEY_ALTNAMES="" + # revoke key and generate a new CRL $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" diff -urN easy-rsa-2.0/vars easy-rsa-2.0-SAN/vars --- easy-rsa-2.0/vars 2008-06-12 05:38:07.000000000 +0800 +++ easy-rsa-2.0-SAN/vars 2010-02-18 14:15:58.000000000 +0800 @@ -66,3 +66,7 @@ export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" + +# Optional fields you might want to fill in. +#export KEY_OU="Organizational Unit or Department" +#export KEY_NAME="Name of key signer or maintainer"