subjectAltName should be mandatory

[lfarkas]

currently all cert generated by default without SAN. even though since and since Chrome 58: Common Name Support Dropped https://www.thesslstore.com/blog/security-changes-in-chrome-58/

So browser vendors made their own schemes and restrictions. Much later, a new RFC (6125, from March 2011) was published, with section 6.4.3 dedicated to the processing of wildcard names in certificates. What RFC 6125 describes is more in tune with the reality, and is a "proposed standard", so there is at least some will, at some level, to make it happen. However, nothing in RFC 6125 mandates rejection of *.com; yet browsers do reject it.

https://www.rfc-editor.org/rfc/rfc6125#section-6.4.3

yes i know i can add it with --san=... but imho at least a config option to always add it would be very useful.

you can make a simple check just generate example.local cert w/o SAN and with it chrome will accept it without not.

[TinCanTech]

imho at least a config option to always add it would be very useful

Completed via 37e1e900f91dcd29da975ad4c838000a223b66d7

[lfarkas]

would be nice some kind of documentation. eg can I use EASYRSA_AUTO_SAN to true and add it to the openssl-easyrsa.cnf etc...

[TinCanTech]

would be nice some kind of documentation

See help opts

can I use EASYRSA_AUTO_SAN to true and add it to the openssl-easyrsa.cnf etc...

etc... ?

[lfarkas]

how can configure if i always would like to add cn to san (without command line argument ie. in openssl-easyrsa.cnf)

[TinCanTech]

EasyRSA uses the vars file to set environment variables, such as EASYRSA_AUTO_SAN. In this case add the following to your working vars file:

set_var   EASYRSA_AUTO_SAN   1

This will force all certificates to include an automatically generated SAN.

[TinCanTech]

Closed via https://github.com/OpenVPN/easy-rsa/blob/f0b22c46f08407b3340d10cb9e4fdfdbcad8407a/ChangeLog#L9