Generating Wildcard CSR includes domain in SAN field after upgrade to 2.4.3



  • Hi I put this under General Questions because I don't see a Certificates category. When I generate a CSR for a Wildcard certificate (.mydomain.com) the CSR includes a copy of the wildcard domain name (.mycomain.com) in the Subject Alternative Name field. The CA will not accept this and I do not know how to remove the SAN field when I create it. It seems to be in there by default. I don't need the SAN field in there at all. Previous versions did not do this. Any ideas on how to fix?

    Thanks


  • Netgate Administrator

    You mean prevent the CN being added as a SAN? I don't think that's possible via the GUI at least.
    Can you do this off the firewall and import it?

    What CA does not accept this out of interest?

    Steve


  • Rebel Alliance Global Moderator

    You kind of do need SAN - since any current browser is going to balk at the cert if missing SAN.



  • Your CA doesn't know what they are doing because how else are you going get a cert with a domain.tld SAN if it's not already included in the CSR?



  • Hi thanks for the input but I fixed the issue using a workaround. Basically I installed Pfsense 2.3.4, created the Wildcard CSR, (Because 2.3.4 does not include the SAN field in the CSR). Sent it to my CA (Comodo), retrieved the certificate, imported it into Pfsense 2.3.4, then I exported the certificate and key pair. Logged into my PFSense 2.4.3 and imported the key/cert pair. All good now! Now if only Pfsense 2.4.3 can be patched to eliminate all this work it would be great!

    Cheers


  • Netgate

    I believe the SAN is the correct place for that and Comodo is wrong.

    Look at the cert you got. I'll bet *.domain.com is in a DNS SAN.

    .mydomain.com is not a wildcard. *.domain.com is.



  • @derelict said in Generating Wildcard CSR includes domain in SAN field after upgrade to 2.4.3:

    I believe the SAN is the correct place for that and Comodo is wrong.

    Look at the cert you got. I'll bet *.domain.com is in a DNS SAN.

    .mydomain.com is not a wildcard. *.domain.com is.

    You are right Sir.
    Rfc2818 says that a cert should present a DNS name as a san name or that CN should be used. It also states that CN is depricated as ID for the cert.

    Therefore SAN names should be used. It's an RFC from year 2000


  • Netgate

    Yeah seems Comodo has some catching up to do.

    If they don't like the SAN in the CSR they can always just ignore it and set their own before they sign.

    There are also a myriad of CAs to choose from so...


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy