Re: Take control of the SAN

#53745

PatrickB
Member

Hello.

I can confirm that I could take the control of the SAN of the host certificate by adjusting x509_createDefaultCert this way:

At first I copied the script to some /opt/mods and updated the PostBoot script to replace the original one with it at every reboot (like other mods).

Then I did that inside (simple hardcode, I could also read them from a file):

...
openssl req -new -batch -newkey rsa:$NBIT -nodes -out /tmp/x509default.req -keyout /tmp/x509default.key -days $DAYS -sha512 -subj "/OU=Hosts/CN=$HOSTNAME"
TMP=/tmp/x509_extfile_defaulthost
cat $SSLDIR/extensions > $TMP
echo -n "subjectAltName = DNS:`hostname`" >> $TMP
# No I don't want the IP in the certificate:
# find /var/register/system/net/interfaces/ -name IP -type f -exec awk '{printf(", IP:%s",$0)}' {} ; >> $TMP
# Instead I want some more names:
echo -n ", DNS:janus.mydomain.lan, DNS:lan.mydomain.org" >> $TMP
echo >> $TMP
openssl ca -batch -days $DAYS -in /tmp/x509default.req -out /tmp/x509default.cert -extfile $TMP -extensions host
...

I use XCA on a separate machine to generate all my certificates and their keys. Notably the intermediate CA (and its key) for the ZS. The master CA (which signed the intermediate CA) is just imported as a trusted certificate, without its ultra-precious key of course ! 😛

When importing the intermediate CA, the ZS process regenerates the host certificate and thanks to the change, it has the SAN I need. After a reboot, all is clean 8)

At this time I did not try all the scenarios of certificate renewal from the ZS GUI. I hope there are no other paths likely to bring back the original pattern 👿

In this case, a more aggressive solution 😈 would be to abandon the whole certificate management from the GUI and code a tool script this way:
https://www.zeroshell.org/forum/viewtopic.php?t=5061
…to import all the certificates from outside and force them into the right places inside ZS. I hope I will escape that 😡

NB: While doing such things, on the computer used to access ZS’ GUI your browser may become very boring, especially Firefox (it does its job) with certificate errors, and even forbid you to complete the operation 😈
Internet Explorer is a bit more permissive: it screams but always has an option to bypass… On Firefox, you may have to purge the (local) certificate database: a file named cert8.db in the profile + the cache. After that you just will have to reimport your personal certificates: added CA etc. this is not lethal.

Best regards.