From 7267d6ee569bfb42fe1aa735dcaadad44052c4a7 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 26 Oct 2022 15:29:37 -0400 Subject: [PATCH] Clean up dev cert construction (#17657) Vault's new TLS devvault mode has two nits with certificate construction: 1. The CA doesn't need to include any SANs, as these aren't checked. Technically this means the CA could be reused as a leaf certificate for the one specified IP SAN, which is less desirable. 2. Add hostname to SANs in addition to CNs. This is a best practice, as (when the CN is a hostname), it is preferable to have everything in SANs as well. Neither of these are major changes. Signed-off-by: Alexander Scheel Signed-off-by: Alexander Scheel --- command/server/tls_util.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/command/server/tls_util.go b/command/server/tls_util.go index d327006332..34f6a72f61 100644 --- a/command/server/tls_util.go +++ b/command/server/tls_util.go @@ -66,6 +66,18 @@ func GenerateCert(caCertTemplate *x509.Certificate, caSigner crypto.Signer) (str SubjectKeyId: signerKeyId, } + // Only add our hostname to SANs if it isn't found. + foundHostname := false + for _, value := range template.DNSNames { + if value == hostname { + foundHostname = true + break + } + } + if !foundHostname { + template.DNSNames = append(template.DNSNames, hostname) + } + bs, err := x509.CreateCertificate( rand.Reader, &template, caCertTemplate, signer.Public(), caSigner) if err != nil { @@ -113,7 +125,6 @@ func GenerateCA() (*CaCert, error) { NotBefore: time.Now().Add(-1 * time.Minute), AuthorityKeyId: signerKeyId, SubjectKeyId: signerKeyId, - IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, } bs, err := x509.CreateCertificate(