TinCanTech
commented
5 months ago FTR, renew works without needing default SAN, eg:
$ easyrsa --nopass renew s3
Using Easy-RSA 'vars' configuration:
* /home/tct/git/easy-rsa/test/installed/test D/pki/vars
WARNING
=======
This process is destructive!
These files will be MOVED to the 'renewed' sub-directory:
* /home/tct/git/easy-rsa/test/installed/test D/pki/issued/s3.crt
These files will be DELETED:
All PKCS files for commonName: s3
The inline credentials files:
* /home/tct/git/easy-rsa/test/installed/test D/pki/s3.creds
* /home/tct/git/easy-rsa/test/installed/test D/pki/inline/s3.inline
The duplicate certificate:
* /home/tct/git/easy-rsa/test/installed/test D/pki/certs_by_serial/ABA12C492139A9A494D1198EE75BB5A0.pem
Please confirm you wish to renew the certificate
with the following subject:
subject=
commonName = s3
X509v3 Subject Alternative Name:
DNS:server3,DNS:swerveur3,IP:2.2.2.2,IP:10.1.1.1
serial-number: ABA12C492139A9A494D1198EE75BB5A0
Type the word 'yes' to continue, or any other input to abort.
Continue with renewal:
Default SAN is removed from Easy-RSA.
The default SAN values provided by Easy-RSA are inadequate for purpose.
The default name is the same as 'commonName' and, therefore, not alternate.
The default IP address is a good example of "more is less".