Option to enable PermittedDNSDomains

[JustinAzoff]

Hi!

Would you accept a PR that adds an option to fill in PermittedDNSDomains? I verified it works if I just add 2 lines to the template:

    PermittedDNSDomainsCritical: true,
    PermittedDNSDomains: []string{".local", ".me.dev"},

Then if I try to generate a cert for google.com it fails validation:

$ ./minica -domains google.com
$ openssl verify  -CAfile minica.pem  google.com/cert.pem 
CN = google.com
error 47 at 0 depth lookup: permitted subtree violation
error google.com/cert.pem: verification failed

It'll take a bunch of changes to pass a new CLI option all the way up to makeRootCert

[jsha]

Have you looked at mkcert? https://github.com/FiloSottile/mkcert

It might be closer to what you're looking for.

On Sat, Apr 20, 2019, 07:23 Justin notifications@github.com wrote:

Hi!

Would you accept a PR that adds an option to fill in PermittedDNSDomains? I verified it works if I just add 2 lines to the template:

PermittedDNSDomainsCritical: true,
PermittedDNSDomains: []string{".local", ".me.dev"},

Then if I try to generate a cert for google.com it fails validation:

$ ./minica -domains google.com $ openssl verify -CAfile minica.pem google.com/cert.pem CN = google.com error 47 at 0 depth lookup: permitted subtree violation error google.com/cert.pem: verification failed

It'll take a bunch of changes to pass a new CLI option all the way up to makeRootCert

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jsha/minica/issues/26, or mute the thread https://github.com/notifications/unsubscribe-auth/AABVYLM6EJY5NQWJ7VOGQH3PRMQ6PANCNFSM4HHJYFPQ .

[JustinAzoff]

I have.. minica is what I'm looking for (easy ssl certs for local services and IoT crap). mkcert has the same issue with not being able to limit the scope of the CA anyway.