Closed TinCanTech closed 6 months ago
As obvious a fix as this appears to be, I would prefer to separate SAN from other "Extra (Undefined) extensions".
Thus, EASYRSA_EXTRA_EXTS
is not the preferred variable to use for SANs.
For Easy-RSA v3.2
, I believe it is also time to resolve #576.
The resolution will be that support for servers named by IP address, having an automatic IP SAN added, is nonsense. Follow-up: #1091
Superseded-by: ~#1093~ #1096
--san|--subject-alt-name current behavior is currently incorrect.
Appending any value to EASYRSA_EXTRA_EXTS repeatedly inserts OpenSSL label 'subjectAltName = ' when this label should be specified once only.
This change correctly formats EASYRSA_EXTRA_EXTS, to only begin with the label 'subjectAltName = ' and append user values to that string.
Example Command line:
Resulting certificate:
The originally required command string:
is also still supported.
Also, the Easy-RSA confirmation dialogue is shown as: