Internal certificate issues without SubjectAlternativeName on pfSense 2.4
-
I just recently upgrade to pfSense 2.4, with very few problems.
The box already had an internal certificate (I produced a working certificate in the cert manager in pfSense 2.3). It was a wildcard cert, so *.local.something.com. The complete certificate information given by the little "i" icon is this:
Serial: 4
Signature Digest: RSA-SHA512
SAN: DNS:*.local.something.com
KU: Digital Signature, Key Encipherment
EKU: TLS Web Server Authentication, IP Security IKE IntermediateThis is fine. But now, on pfSense 2.4, I need to issue a new one, let`s call it *.internal.something.com. Whenever I create it, it does not seem to fill in the name for the SAN value. Whether I explicitly put one in or not (the cert manager page states that "The Common Name field is automatically added to the certificate as an Alternative Name. The signing CA may ignore or change these values."). For completeness, the info icon gives me this:
Serial: 12
Signature Digest: RSA-SHA512
KU: Digital Signature, Key Encipherment
EKU: TLS Web Server Authentication, IP Security IKE IntermediateNotice the missing SAN value.
This, in turn, ends up giving me errors in Chrome as Chrome needs an SubjectAlternativeName in the certificate. I would just like the certificate to be create with a filled-in SAN value of *.internal.something.com , which I suspect would take care of Chrome complaints.
Either something has changed in 2.4 or I forgot how I added the SAN in 2.3, but any help would be appreciated.
-
It looks like something in the automatic SAN populating code doesn't like wildcards. I was able to make a cert so long as I put a non-wildcard name in the CN and put the wildcard in the SAN.
I'll get that fixed up shortly. https://redmine.pfsense.org/issues/7994
-
Thank you for the confirmation. Will wait for the next patch(es).