On 2019/02/18 14:47, Sevan Janiyan wrote: > > > On 18/02/2019 14:35, Sevan Janiyan wrote: > > I've dropped the changes with the exception of > > s/CERTIP/CERTFQDN that is an actual bug and changing the file name to > > indicate a copy. > > > > If you look at /etc/x509v3.cnf you'll see that for the x509v3_FQDN > > extension, the subjectAltName field is populated using $ENV::CERTFQDN, > > not $ENV::CERTIP > > Sorry about the noise, updated diff. > > > Sevan
> Index: sbin/isakmpd/isakmpd.8 > =================================================================== > RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v > retrieving revision 1.120 > diff -u -p -r1.120 isakmpd.8 > --- sbin/isakmpd/isakmpd.8 17 Apr 2018 12:13:29 -0000 1.120 > +++ sbin/isakmpd/isakmpd.8 18 Feb 2019 14:45:19 -0000 > @@ -630,14 +630,14 @@ with 10.0.0.1, then run: > -extensions x509v3_IPAddr -out 10.0.0.1.crt > .Ed > .Pp > -For a FQDN certificate, replace > -.Dv $ENV::CERTIP > +For an FQDN certificate, replace > +.Dv $ENV::CERTFQDN OK for this as-is, that's an actual manpage bug that needs fixing. > with the hostname and run: > .Bd -literal -offset indent > # openssl x509 -req \e > -days 365 -in somehost.somedomain.csr \e > -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e > - -CAcreateserial -extfile /etc/ssl/x509v3.cnf \e > + -CAcreateserial -extfile ~/tmp_x509v3.cnf \e > -extensions x509v3_FQDN -out somehost.somedomain.crt > .Ed > .Pp If we're changing that /etc/ssl/x509v3.cnf reference then we should also change the one for x509v3_IP. But the text above just says to copy and edit it but without mentioning ~/tmp_x509v3.cnf anywhere other than in the command line it seems a bit unnecessarily awkward for the reader. Maybe these for the two sections? # sed 's,\$ENV::CERTIP,10.0.0.1,' < /etc/ssl/x509v3.cnf > ~/tmp_x509v3.cnf # openssl x509 -req [...] and # sed 's,\$ENV::CERTFQDN,somehost.somedomain,' < /etc/ssl/x509v3.cnf > ~/tmp_x509v3.cnf # openssl x509 -req [...]
