Skip to content

Commit e5ab833

Browse files
dopeydopey
authored
Add CSR common name to SANs if no other SANs are defined in CSR (#1172)
* Add CSR common name to SANs if no other SANs are defined in CSR
1 parent 028915b commit e5ab833

File tree

1 file changed

+21
-4
lines changed

1 file changed

+21
-4
lines changed

command/certificate/sign.go

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,8 @@ func signCommand() cli.Command {
3737
Action: cli.ActionFunc(signAction),
3838
Usage: "sign a certificate signing request (CSR)",
3939
UsageText: `**step certificate sign** <csr-file> <crt-file> <key-file>
40-
[**--profile**=<profile>] [**--template**=<file>]
41-
[**--set**=<key=value>] [**--set-file**=<file>]
40+
[**--profile**=<profile>] [**--template**=<file>]
41+
[**--set**=<key=value>] [**--set-file**=<file>] [**--omit-cn-san**]
4242
[**--password-file**=<file>] [**--path-len**=<maximum>]
4343
[**--not-before**=<time|duration>] [**--not-after**=<time|duration>]
4444
[**--bundle**]`,
@@ -79,6 +79,11 @@ Sign a CSR with custom validity and bundle the new certificate with the issuer:
7979
$ step certificate sign --bundle --not-before -1m --not-after 16h leaf.csr issuer.crt issuer.key
8080
'''
8181
82+
Sign a CSR but do not add the Common Name to the SANs extension of the certificate:
83+
'''
84+
$ step certificate sign --omit-cn-san leaf.csr issuer.crt issuer.key
85+
'''
86+
8287
Sign an intermediate ca:
8388
'''
8489
$ step certificate sign --profile intermediate-ca intermediate.csr issuer.crt issuer.key
@@ -174,6 +179,14 @@ $ step certificate sign \
174179
flags.Template,
175180
flags.TemplateSet,
176181
flags.TemplateSetFile,
182+
cli.BoolFlag{
183+
Name: "omit-cn-san",
184+
Usage: `Do not add CSR Common Name as SAN extension in resulting certificate.
185+
By default, the CSR Common Name will be added as a SAN extension only if the CSR
186+
does not contain any SANs. Note that if the Common Name is already captured as a
187+
SAN extension in the CSR then it will still appear as a SAN extension in the
188+
certificate.`,
189+
},
177190
flags.PasswordFile,
178191
cli.StringFlag{
179192
Name: "not-before",
@@ -327,7 +340,7 @@ func signAction(ctx *cli.Context) error {
327340
}
328341

329342
// Create certificate template from csr.
330-
data := createTemplateData(csr, maxPathLen)
343+
data := createTemplateData(csr, maxPathLen, ctx.Bool("omit-cn-san"))
331344
data.SetUserData(userData)
332345
tpl, err := x509util.NewCertificate(csr, x509util.WithTemplate(template, data))
333346
if err != nil {
@@ -424,7 +437,7 @@ func validateIssuer(crt *x509.Certificate, profile string, maxPathLen int) error
424437
// createTemplateData create a new template data with subject and sans based on
425438
// the information in the certificate request, and the maxPathLen for
426439
// intermediate certificates.
427-
func createTemplateData(cr *x509.CertificateRequest, maxPathLen int) x509util.TemplateData {
440+
func createTemplateData(cr *x509.CertificateRequest, maxPathLen int, omitCNSAN bool) x509util.TemplateData {
428441
var sans []string
429442
sans = append(sans, cr.DNSNames...)
430443
sans = append(sans, cr.EmailAddresses...)
@@ -435,6 +448,10 @@ func createTemplateData(cr *x509.CertificateRequest, maxPathLen int) x509util.Te
435448
sans = append(sans, v.String())
436449
}
437450

451+
if !omitCNSAN && len(sans) == 0 && cr.Subject.CommonName != "" {
452+
sans = append(sans, cr.Subject.CommonName)
453+
}
454+
438455
data := x509util.NewTemplateData()
439456
data.SetCertificateRequest(cr)
440457
data.Set("MaxPathLen", maxPathLen)

0 commit comments

Comments
 (0)