#105 Expand getcert-request doc for -D option
Closed: fixed 4 months ago Opened 4 months ago by erinn.

As it currently stands:

   -D DNSNAME
          Add an extensionRequest for a subjectAltName, with the specified
          DNS name as its value, to the signing request.

I believe, and my testing has shown that for multiple SANs, they should be separated by commas, so: '-D foo.example.com,bar.example.com' but it is possible to do '-D foo.example.com -D bar.example.com' so I am not 100% sure what the 'right' way to do this is. For our needs the comma is the right approach to pass to an upstream CA, and commas seem to work with SelfSign, but I'll leave it to the experts. Any which way if the docs could clarify it would be great and it would help to clarify the info in the helpers.txt file as well for CERTMONGER_REQ_HOSTNAME

Finally if multiple -D options shouldn't happen, perhaps the code should check for that and stop it.

Thanks.


I retract my statement about commas after more research multiple -D's seem to be the way to do it. However, I would still suggest documenting this in more detail in the man page and in the helpers.txt file letting folks know that multiple entries will be separated by newlines.

-Erinn

I'm not sure what you mean by "separated by newlines". Each -D will create a new DNS SAN in the CSR.

If we have '-D foo.example.com -D bar.example.com' certmonger populates CERTMONGER_REQ_HOSTNAME='foo.example.com\nbar.example.com', or to put it slightly differently here is the code I wrote to basically make it a csv (python):
sans = ','.join(os.env.get('CERTMONGER_REQ_HOSTNAME', '').split('\n'))

Does that make more sense?

-Erinn

Yeah I think that does it, thanks for putting it together, as mentioned I would have but I was unsure as to what the 'right' way was.

-Erinn

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata