Generating Wildcard CSR includes domain in SAN field after upgrade to 2.4.3

multilan · Jul 11, 2018, 4:19 PM

Hi I put this under General Questions because I don't see a Certificates category. When I generate a CSR for a Wildcard certificate (.mydomain.com) the CSR includes a copy of the wildcard domain name (.mycomain.com) in the Subject Alternative Name field. The CA will not accept this and I do not know how to remove the SAN field when I create it. It seems to be in there by default. I don't need the SAN field in there at all. Previous versions did not do this. Any ideas on how to fix?

Thanks

stephenw10 · Jul 15, 2018, 2:28 PM

You mean prevent the CN being added as a SAN? I don't think that's possible via the GUI at least.
Can you do this off the firewall and import it?

What CA does not accept this out of interest?

Steve

johnpoz · Jul 15, 2018, 3:02 PM

You kind of do need SAN - since any current browser is going to balk at the cert if missing SAN.

kpa · Jul 15, 2018, 3:14 PM

Your CA doesn't know what they are doing because how else are you going get a cert with a domain.tld SAN if it's not already included in the CSR?

multilan · Jul 15, 2018, 9:36 PM

Hi thanks for the input but I fixed the issue using a workaround. Basically I installed Pfsense 2.3.4, created the Wildcard CSR, (Because 2.3.4 does not include the SAN field in the CSR). Sent it to my CA (Comodo), retrieved the certificate, imported it into Pfsense 2.3.4, then I exported the certificate and key pair. Logged into my PFSense 2.4.3 and imported the key/cert pair. All good now! Now if only Pfsense 2.4.3 can be patched to eliminate all this work it would be great!

Cheers

Derelict · Jul 15, 2018, 9:56 PM

I believe the SAN is the correct place for that and Comodo is wrong.

Look at the cert you got. I'll bet *.domain.com is in a DNS SAN.

.mydomain.com is not a wildcard. *.domain.com is.

Mats · Jul 18, 2018, 4:43 PM

@derelict said in Generating Wildcard CSR includes domain in SAN field after upgrade to 2.4.3:

I believe the SAN is the correct place for that and Comodo is wrong.

Look at the cert you got. I'll bet *.domain.com is in a DNS SAN.

.mydomain.com is not a wildcard. *.domain.com is.

You are right Sir.
Rfc2818 says that a cert should present a DNS name as a san name or that CN should be used. It also states that CN is depricated as ID for the cert.

Therefore SAN names should be used. It's an RFC from year 2000

Derelict · Jul 18, 2018, 4:53 PM

Yeah seems Comodo has some catching up to do.

If they don't like the SAN in the CSR they can always just ignore it and set their own before they sign.

There are also a myriad of CAs to choose from so...