Jesus Alvarez created KNOX-1084:
-----------------------------------
Summary: Extend knoxcli to support multiple hostnames while
generating self-signed certificates
Key: KNOX-1084
URL: https://issues.apache.org/jira/browse/KNOX-1084
Project: Apache Knox
Issue Type: Bug
Reporter: Jesus Alvarez
Priority: Minor
In some multi-homed network environments, a knox gateway may have hostnames
such as:
{code}
123-4-5-5-internal.example.com
pub2-west-re.example.com
{code}
While generating certificates in these types of environments, one approach to
having host verification resolve on the external and internal CNs is the use of
subjectAltNames http://wiki.cacert.org/FAQ/subjectAltName
{code}
openssl x509 -in temp.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 123456 (0x1e240)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=pub2-west-re.example.com, O=EX, C=US
Validity
...
Subject: CN=pub2-west-re.example.com, O=EX, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:123-4-5-5-internal.example.com
{code}
It would be useful if knoxcli could be extended to support multiple hostnames,
ex:
{code}
bin/knoxcli.sh create-cert --hostname pub2-west-re.example.com --hostname
123-4-5-5-internal.example.com
{code}
Where the first name will continue to be the Issuer and Subject, and the
2nd-Nth hostname will be added as a Subject Alternate Name DNS entry.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
