Help me generate a certificate with a proper SAN and no COMMON NAME

johanforssell · October 18, 2021, 1:02pm

I’m attempting to create a role and generate a certificate for a Golang mtls-setup (running in docker swarm).

In this example, there’s a server at mtls-server.company_net and a client at mtls-server.company_net.

1 - Generating certificates with

vault write pki_int/issue/mtls_provider \
  alt_names=mtls-server.company_net \
  uri_sans=mtls-server.company_net \
  ttl="24h"

the go-code will complain that

x509: certificate is not valid for any names, but wanted to match mtls-server.company_net

2 - Generating certificates with

vault write pki_int/issue/mtls_provider \
  common_name=mtls-client.company_net \
  alt_names=mtls-server.company_net \
  uri_sans=mtls-server.company_net \
  ttl="24h"

the go-code will complain that

x509: certificate relies on legacy Common Name field, use SANs instead

The certificate does contain the following

            X509v3 Subject Alternative Name:
                URI:mtls-server.company_net

I guess I need DNS:mtls-server.company_net ?
Newbie alert!

aram · October 18, 2021, 5:03pm

You need a common name for the certificate but nothing says that the name must be in DNS - even if it was you can get around it by definining it locally in your hosts file.

Then use SAN for the DNS name and actual use. It’s an odd way of doing but you can technically do it.

Topic		Replies	Views
Network Error": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field Vault	2	3680	May 5, 2023
TLs sertificate not valid Nomad consul-template , vault , nomad	2	527	September 3, 2023
Cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs Vault	5	29617	August 23, 2023
Vault cluster with CA signed TLS and raft Vault k8s , vault	3	970	March 31, 2022
Hashicorp Vault RabbitMQ Secrets Engine Vault	1	495	March 14, 2022

Help me generate a certificate with a proper SAN and no COMMON NAME

Related topics