Hi Ludovic,
thanks. I did some digging around in the code of my Packetfence installation and found a file called models.go under go/caddy/pfpki. In there it looks like the certificate is being created. Looking at the Golang documentation for x509.CreateCertificate it seems there can be an array “DNSNames” be added to the certificate. Probably it would be an option to copy the CN into that array? I don’t know how the certificate generation works in PF to be honest, it’s just a wild guess 😊 Regards, Tom. Von: Ludovic Zammit <[email protected]> Gesendet: Montag, 7. Dezember 2020 15:32 An: [email protected] Cc: [email protected] Betreff: Re: [PacketFence-users] Packetfence PKI add SAN I’m actually testing it and I will let you know what we can do about that. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Dec 7, 2020, at 9:29 AM, <[email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]> > wrote: Hi, yes, Root CA is installed. But modern browsers require the servername o be present in the SAN as well as in the CN. MS Edge displays a NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN is’n present, Firefox refuses to connect. This seems to be the normal behaviour not, see <https://www.chromestatus.com/feature/4981025180483584> Support for commonName matching in Certificates - Chrome Platform Status (chromestatus.com) for example. Regards, Tom. Von: Ludovic Zammit <[email protected] <mailto:[email protected]> > Gesendet: Montag, 7. Dezember 2020 14:56 An: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> Betreff: Re: [PacketFence-users] Packetfence PKI add SAN Hello Tom, Which browsers? Did you install the PacketFence PKI Root CA on the testing device? Because without the Root Ca installed on either device, it would not be able to trust the certificate issued by the PacketFence PKI and also the chain. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/> ) and PacketFence (http://packetfence.org <http://packetfence.org/> ) On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users <[email protected] <mailto:[email protected]> > wrote: Hi, I am using Packetfence 10.2 and have configured the internal PKI to deploy certificates to clients which works fine. I thought I’ld use the PKI also to create certificates for internal Web Servers. This works in general but Browsers show errors as no SAM is given in the certificate. Is there a way to add SANs to the certificate? Thanks, Tom. _______________________________________________ PacketFence-users mailing list <mailto:[email protected]> [email protected] <https://lists.sourceforge.net/lists/listinfo/packetfence-users> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
