Generate Subject if forceCN and Subject is empty

When `forceCN` is set in provisioner configuration and Subject.CommonName is empty, set Subject.CommonName to the first SAN from the CSR to follow the letsencrypt's boulder behavior. This is done in order to support system which require certificate's Subject field to be non-empty. N.B. certbot does not send Subject in its certificate request and relies on similar behavior of letsencrypt. Closes https://github.com/smallstep/certificates/issues/259
2020-05-14 13:23:42 +03:00 · 2020-05-14 13:23:42 +03:00 · 0218018cee
commit 0218018cee
parent 503c9f6101
1 changed files with 7 additions and 0 deletions
--- a/acme/order.go
+++ b/acme/order.go
@ -262,6 +262,13 @@ func (o *order) finalize(db nosql.DB, csr *x509.CertificateRequest, auth SignAut
 	if csr.Subject.CommonName != "" {
 		csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
 	}
+
+	// Generate Subject CommonName for supporting `conservative` systems
+	// which does not accept certificates with empty subject
+	if csr.Subject.CommonName == "" && p.(*provisioner.ACME).ForceCN {
+		csr.Subject.CommonName = csr.DNSNames[0]
+	}
+
 	csr.DNSNames = uniqueLowerNames(csr.DNSNames)
 	orderNames := make([]string, len(o.Identifiers))
 	for i, n := range o.Identifiers {