Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Generating Wildcard CSR includes domain in SAN field after upgrade to 2.4.3

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 6 Posters 1.2k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      multilan
      last edited by

      Hi I put this under General Questions because I don't see a Certificates category. When I generate a CSR for a Wildcard certificate (.mydomain.com) the CSR includes a copy of the wildcard domain name (.mycomain.com) in the Subject Alternative Name field. The CA will not accept this and I do not know how to remove the SAN field when I create it. It seems to be in there by default. I don't need the SAN field in there at all. Previous versions did not do this. Any ideas on how to fix?

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You mean prevent the CN being added as a SAN? I don't think that's possible via the GUI at least.
        Can you do this off the firewall and import it?

        What CA does not accept this out of interest?

        Steve

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          You kind of do need SAN - since any current browser is going to balk at the cert if missing SAN.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • K Offline
            kpa
            last edited by

            Your CA doesn't know what they are doing because how else are you going get a cert with a domain.tld SAN if it's not already included in the CSR?

            1 Reply Last reply Reply Quote 1
            • M Offline
              multilan
              last edited by

              Hi thanks for the input but I fixed the issue using a workaround. Basically I installed Pfsense 2.3.4, created the Wildcard CSR, (Because 2.3.4 does not include the SAN field in the CSR). Sent it to my CA (Comodo), retrieved the certificate, imported it into Pfsense 2.3.4, then I exported the certificate and key pair. Logged into my PFSense 2.4.3 and imported the key/cert pair. All good now! Now if only Pfsense 2.4.3 can be patched to eliminate all this work it would be great!

              Cheers

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                I believe the SAN is the correct place for that and Comodo is wrong.

                Look at the cert you got. I'll bet *.domain.com is in a DNS SAN.

                .mydomain.com is not a wildcard. *.domain.com is.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                M 1 Reply Last reply Reply Quote 0
                • M Offline
                  Mats @Derelict
                  last edited by

                  @derelict said in Generating Wildcard CSR includes domain in SAN field after upgrade to 2.4.3:

                  I believe the SAN is the correct place for that and Comodo is wrong.

                  Look at the cert you got. I'll bet *.domain.com is in a DNS SAN.

                  .mydomain.com is not a wildcard. *.domain.com is.

                  You are right Sir.
                  Rfc2818 says that a cert should present a DNS name as a san name or that CN should be used. It also states that CN is depricated as ID for the cert.

                  Therefore SAN names should be used. It's an RFC from year 2000

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Yeah seems Comodo has some catching up to do.

                    If they don't like the SAN in the CSR they can always just ignore it and set their own before they sign.

                    There are also a myriad of CAs to choose from so...

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.