tdharris
commented
5 years ago Great idea! Yah, I believe that it is now recommended to use this subjectAltName extension now. Well I think it has been "recommended" for a long time over just the commonName, but browsers have been enforcing it "lately."
So this is just a configuration of the openssl config (default is /etc/ssl/openssl.cnf). But I like the idea of the script asking if it should configure that. I went ahead and added it to my other repo related to managing certificates. Checkout @tdharris/openssl-toolkit v1.1.0 release! I added details there to explain how it works, etc.
Thanks for the idea! Hope you find the other script useful, as I am considering keeping this certs.sh archived maybe or deprecate it in favor of the openssl-toolkit one..
It would be wonderful if we could add SANs (Subject Alternative Name) It looks like openssl does have some ability on that front which would be useful, though I do suspect it will take a hunk of work to add this.