Hi, Following the examples in ikectl(8) ikectl ca ... appears to create invalid subjectAltName .cnf entries when the common name is an IP address:
# ikectl ca test create CA passphrase: Retype CA passphrase: Generating RSA private key, 2048 bit long modulus ............+++ ..................................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Lower Saxony]: Locality Name (eg, city) [Hanover]: Organization Name (eg, company) [OpenBSD]: Organizational Unit Name (eg, section) [iked]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [[email protected]]: Signature ok subject=/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA/[email protected] Getting Private key Using configuration from /etc/ssl/test/ca-revoke-ssl.cnf # ikectl ca test certificate 10.0.0.1 create Generating RSA private key, 2048 bit long modulus ....................+++ ...................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Lower Saxony]: Locality Name (eg, city) [Hanover]: Organization Name (eg, company) [OpenBSD]: Organizational Unit Name (eg, section) [iked]: Common Name (eg, fully qualified host name) [10.0.0.1]: Email Address [[email protected]]: Using configuration from /etc/ssl/test/10.0.0.1-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :ASN.1 12:'Lower Saxony' localityName :ASN.1 12:'Hanover' organizationName :ASN.1 12:'OpenBSD' organizationalUnitName:ASN.1 12:'iked' commonName :ASN.1 12:'10.0.0.1' emailAddress :IA5STRING:'[email protected]' ERROR: adding extensions in section x509v3_IPAddr 3368980406304:error:22FFF06D:X509 V3 routines:func(4095):invalid null value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: 3368980406304:error:22FFF069:X509 V3 routines:func(4095):invalid extension string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: 3368980406304:error:22FFF080:X509 V3 routines:func(4095):error in extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, value=IP: # grep subjectAltName /etc/ssl/test/10.0.0.1* /etc/ssl/test/10.0.0.1-ext.cnf:subjectAltName=IP: /etc/ssl/test/10.0.0.1-ext.cnf:subjectAltName=DNS:$ENV::CERTFQDN /etc/ssl/test/10.0.0.1-ssl.cnf:subjectAltName=IP: /etc/ssl/test/10.0.0.1-ssl.cnf:subjectAltName=DNS:$ENV::CERTFQDN
