Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-38293

Only generate SAN entries in self-signed certs and leave CN blank

    XMLWordPrintable

Details

    Description

      We should make the following changes to how we generate self-signed certs.

      1. always generate SAN entries (currently we only create a SAN entry for nodes named with raw IP addresses)
      2. leave the common name blank

      On the second point, SAN entries are always to be preferred over CNs, are mandatory for IP addresses and CNs have a 64 character size limit and are long deprecated. See these sections from https://tools.ietf.org/html/rfc2818#section-3.1.

      If a subjectAltName extension of type dNSName is present, that MUST
      be used as the identity. Otherwise, the (most specific) Common Name
      field in the Subject field of the certificate MUST be used. Although
      the use of the Common Name is existing practice, it is deprecated and
      Certification Authorities are encouraged to use the dNSName instead.

      and

      In some cases, the URI is specified as an IP address rather than a
      hostname. In this case, the iPAddress subjectAltName must be present
      in the certificate and must exactly match the IP in the URI.

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              ritam.sharma Ritam Sharma
              dfinlay Dave Finlay
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty