-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Subject Alt Name (fixes #1) #2
Conversation
This was my reason for [forking](https://github.com/developit/devcert). If merged I'll point preact-cli back to the proper devcert package.
Thanks @developit, was meaning to get around to that! Not sure we want to hardcode to localhost though - what if someone is using /etc/host? That was the rationale for passing in the app name to |
domain name works, though I think the SAN field accepts a CSV? |
I haven't done much digging on the SAN field, so not sure ... |
@@ -34,6 +34,7 @@ commonName = Common Name | |||
[ v3_ca ] | |||
# Extensions for a typical CA (`man x509v3_config`). | |||
subjectKeyIdentifier = hash | |||
subjectAltName = email:user@localhost |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is necessary
@@ -47,3 +48,4 @@ subjectKeyIdentifier = hash | |||
authorityKeyIdentifier = keyid,issuer:always | |||
keyUsage = critical, digitalSignature, keyEncipherment | |||
extendedKeyUsage = serverAuth | |||
subjectAltName=DNS:localhost |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Multiple subjectAltName values are possible, either by
subjectAltName = DNS:localhost, DNS:lvh.me, IP:127.0.0.1, IP:127.0.0.2
or
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = lvh.me
IP.1 = 127.0.0.1
IP.2 = 127.0.0.2
My thinking is that this list of domains and IP addresses should be
1) The following, by default
DNS.1 = localhost
DNS.2 = lvh.me
IP.1 = 127.0.0.1
Use case: I'm working on an app that can be hosted on a single domain, and wish to develop with HTTPS on localhost.
2) Added to, machine-wide at the developer's discretion
Use case: I have a static IP address or host name on my corporate network, and want ANY devcert certificate to facilitate TLS connections for that IP/hostname.
3) Added to, by request of the requestor of a certificate (and ideally at the explicit consent of the machine owner), on a per-certificate basis
Use case: I work on an app that involves multiple subdomains, even in development (i.e. we are building something like *.github.io, where users create their own subdomains)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thoughts as to the most straightforward way to implement these
-
Can be done right now with no risk or harm to existing users or future APIs, by adding the above to the openssl configuration template.
- This library would have to be modified so that the openssl config in
~/.config/devcert
is "upgraded", since as-is, it's created when the cert authority is set up and then never touched again. - I don't believe there's any harm in "updating" the openssl config as each signed certificate is generated, providing the treatment of serial number and database remain unchanged.
- This library would have to be modified so that the openssl config in
-
Can be accomplished by just providing instructions for editing
~/.config/devcert/openssl.conf
(and the equivalent for windows/linux) in README.md -
Could be implemented by adding the ability to pass an optional options object to the devcert function, with devcert presenting a blocking Y/N confirmation prompt to the user, listing the domains to the console (thus making it more difficult for the user to be tricked into creating trusted certificates for
api.my-online-bank.com
)
Related: webpack/webpack-dev-server#987 |
Going to close this PR, since SAN is now supported in the just-landed refactor on master branch. But I'd like to make sure we address all the points mentioned here. @mike-north in general, I'd like to keep devcert as a low-level library that other tools can build on top of. To that end, I'd like to keep the assumptions to a minimum - I'd rather provide no default domains, and let whatever tool / library / framework that builds on top of devcert provide whatever defaults make the most sense there. I wasn't aware of the |
Fix for checking the domains present in the file.
…tence Check for existence of certs before attempting to delete them
This was my reason for forking. If merged I'll point preact-cli back to the proper devcert package.