Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add IP option to SAN certificate #7972

Merged
merged 4 commits into from
Aug 13, 2024
Merged

Add IP option to SAN certificate #7972

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bb5d6a2
Add IP option to SAN certificate
Naarcha-AWS Aug 12, 2024
b9810ce
Apply suggestions from code review
Naarcha-AWS Aug 13, 2024
3c4ba7e
Update _security/configuration/generate-certificates.md
Naarcha-AWS Aug 13, 2024
365c69e
Update _security/configuration/generate-certificates.md
Naarcha-AWS Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions _security/configuration/generate-certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,13 +115,21 @@ openssl req -new -key node1-key.pem -out node1.csr
For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with [RFC 2818 (HTTP Over TLS)](https://datatracker.ietf.org/doc/html/rfc2818). The SAN should match the corresponding CN so that both refer to the same DNS A record.
{: .note }

Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host:
Before generating a signed certificate, create a SAN extension file which describes the DNS A record for the host. If you're connecting to a host that only has an IP address, use `IP`:
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

**No IP**

```bash
echo 'subjectAltName=DNS:node1.dns.a-record' > node1.ext
```

Generate the certificate:
**With IP**

```bash
echo subjectAltName=IP:127.0.0.1 > node1.ext
```

With the DNS A record described, generate the certificate:

```bash
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext
Expand Down
Loading