texadactyl
commented
2 years ago I am guessing that you wrote your own CSR generation for user certs and included some extension information. True? How much extension information? Just the IP address of the web app/server?
In diyca_web_signer.py, see function sign_csr. Go down to line #74 (# Sign CSR, giving the CRT).
Just after line #82, you want to copy the extension to the cert.
Maybe, something like this?
ext_list = csr.get_extensions()
if ext_list:
cert.add_extensions(ext_list)Try it!
NorthyIE
I am using diyca to quickly sign CSR's for internal testing of web apps and servers. I know that this is not the intended use of this CA but it works really well for me. The only issue I have is that I have to use the X509Extension "subjectAltName" which is included in the CSR. Is there a way that the diyca_web_signer.py could be modified to check the CSR for such extentions and include them in the output CRT?
I have tried to add this myself but unfortunately I have failed so far. For OpenSSL I can add extensions using the "-extfile" and "-extensions" -flags, but I don't know how to translate this to python.