forked from TrueCloudLab/certificates
Ensure the CA TLS certificate represents IPv6 DNS names as IP in cert
If an IPv6 domain name (i.e. [::1]) is provided manually in the `ca.json`, this commit will ensure that it's represented as an IP SAN in the TLS certificate. Before this change, the IPv6 would become a DNS SAN.
This commit is contained in:
parent
1fe7362bee
commit
e887ccaa07
1 changed files with 13 additions and 1 deletions
|
@ -10,6 +10,7 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
@ -508,8 +509,19 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
|
||||||
return fatal(errors.New("private key is not a crypto.Signer"))
|
return fatal(errors.New("private key is not a crypto.Signer"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// prepare the sans: IPv6 DNS hostname representations are converted to their IP representation
|
||||||
|
sans := make([]string, len(a.config.DNSNames))
|
||||||
|
for i, san := range a.config.DNSNames {
|
||||||
|
if strings.HasPrefix(san, "[") && strings.HasSuffix(san, "]") {
|
||||||
|
if ip := net.ParseIP(san[1 : len(san)-1]); ip != nil {
|
||||||
|
san = ip.String()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sans[i] = san
|
||||||
|
}
|
||||||
|
|
||||||
// Create initial certificate request.
|
// Create initial certificate request.
|
||||||
cr, err := x509util.CreateCertificateRequest("Step Online CA", a.config.DNSNames, signer)
|
cr, err := x509util.CreateCertificateRequest("Step Online CA", sans, signer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fatal(err)
|
return fatal(err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue