Subject Alternative Name support in SSL certificates
Chrome 58 removes support for using the commonName to match a domain to certificate: https://www.chromestatus.com/features/4981025180483584
Firefox has already dropped support as of FireFox 48: https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
FreeNAS currently generates certificates without a Subject Alternative Name section. Chrome 58 is currently in Beta (which is how I ran across the issue) and will probably be promoted to stable within the next month. Once released all FN-generated certificates will be rejected with NET::ERR_CERT_COMMON_NAME_INVALID.
There is a ticket open for FreeNAS Corral (https://bugs.freenas.org/issues/22926) but I wanted to request that any Corral fixes for SAN support be backported to 9.10.
Chrome 58 is currently in Beta (which is how I ran across the issue) and will probably be promoted to stable within the next month.
#19 Updated by Samuel Harmer about 4 years ago
Please would you patch this into 9.10-STABLE? (FreeNAS-9.10.2-U3 (e1497f269))
I have a load of certificates signed and managed using FreeNAS and now they're all useless. I would have to spin up a new CA and I really don't want to have to do that.
Furthermore, it seems even if I use
--ignore-certificate-errors (Chrome Version 58.0.3029.110 (64-bit)) the page isn't rendering correctly. Not sure if the two are related though. If I use an old version of FF I happened to still have installed (43.01) still renders fine fortunately (as I have port 80 disabled on the web interface).
#20 Updated by Suraj Ravichandran about 4 years ago
Hi Samuel Harmer,
Firstly, while I can patch this into 9.10 if need be. It still will not make it so that the existing certificates would be retroactively edited.
You could at the very best reuse your existing CA to issue new certs, would that work for you.
If that satisfies your criteria, then I can request my management to consider a patch release with this fix.
In the end, my manager has to approve that.
I am sorry for your troubles, wish I could have avoided this, but I too am learning as I go with this whole certificate thing. I would like to believe that I am getting better though :-P
Thanks & Regards,
#23 Updated by Samuel Harmer about 4 years ago
Hi Suraj, Kris,
Yep; I've seen the recent changes in direction and appreciate that everything's probably quite hectic at the moment so fair enough. I think this is one probably worth back-porting in the long-term.
Looking at ssl.py it wouldn't be hard to pass key/value pairs straight to
crypto. Leave it as an advanced option in the WebUI if you like: I just want a way to add misc SANs to certs. Otherwise FreeNAS CA is perfectly fit for purpose.
Keep up the excellent work.
#24 Updated by Ruan Kritzinger about 4 years ago
I am running FreeNAS-11.0-U2 (e417d8aa5) and still do not see this feature (See screens). Apologies if I am missing the obvious, but if not please can this be corrected?
#26 Updated by Suraj Ravichandran about 4 years ago
@Ruan: I have not added the ability to provide extra subject alt names in the UI.
For now, just use the common name input to do the same.
The other stuff (adding misc subject alt pairs to certs) is more "nice to have" will probably not get around to it this release cycle.
For now, just use the common name.