search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.57k stars 247 forks source link

[Bug]: CN not added as SAN #1171

Closed GBBx closed 2 months ago

GBBx commented 3 months ago

Steps to Reproduce

  1. Create CSR without specifying SAN:

    openssl req \
-new -newkey rsa:4096 \
-out example.com.csr \
-keyout example.com.pem \
-subj "/C=AU/ST=Example/L=Example/O=Example Ltd./OU=Example Team/CN=example.com.crt"

  2. Sign certificate:

    step certificate sign \
example.com.csr \
/etc/step-ca/certs/root_ca.crt \
/etc/step-ca/secrets/root_ca_key > example.com.crt

  3. Check SAN of certificate:

    openssl x509 -noout -ext subjectAltName -in example.com.crt
No extensions in certificate

Your Environment

Expected Behavior

The common name should be automatically added as a SAN.

Actual Behavior

The SAN is empty.

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

dopey commented 2 months ago

Hey @GBBx 👋. Thanks for opening the issue! And apologies for the radio silence.

I have a pretty simple fix for this (I'll post the PR shortly), but I'm curious what the expected behavior would be if the CSR did have SANs but the commonName wasn't in the SANs? Should it still be automatically added as a SAN, or does that only apply if the SANs are empty?

GBBx commented 2 months ago

Hi @dopey , thanks a lot for fixing this. I cannot give you an advice but I think I would align it with publicly trusted certificate providers. I believe if I bought a certificate from them, they would only add the CN as SAN if there's no other SAN entry.