Certificate Creation Changes:
Added support for subjectAltName
(x509v3 Subject Alternative Name) - RFC 5280.
Common Name has been officially deprecated and "Certification Authorities are encouraged to use the dNSName" (RFC 2818). While often used as the fallback in the absence of the subjectAlternativeName extension, support for it has been dropped by popular browsers (Google, Firefox, etc.). Therefore it is recommended to use this preferred extension.
During certificate creation, checks for subjectAltName
in openssl config. If not found, it will prompt user if they wish to have it added. This will append the following to the [ req_attributes ]
section of the openssl config (def. /etc/ssl/openssl.cnf
):
subjectAltName = Alternative DNS names, Email adresses or IPs (comma seperated list; e.g. DNS=example.com,DNS=www.example.com)
This then adds the above prompt during CSR generation in openssl cli, which this script leverages.
The following are a couple examples of the proper syntax for this Alternative Names field:
DNS:example.com, DNS:www.example.com
DNS:example.com, DNS:www.example.com, IP:127.0.0.1
Configurable certificate options
Cipher to encrypt private key (e.g. des3, aes128, aes192, etc.)
Prompts user for input. Default increased to aes256
Size of private key to generate in bits
Prompts user for input numbits
. Default increased to 4096
Clarified Verify certificates submenu options for verifying keypairs.
1. CSR is signed by private key
2. Public certificate and private key are a keypair
3. 3rd party intermediate chain file and signed public certificate are a keypair
4. Check date validity of certificates