TIL: easy-rsa and subjectAltName

TIL: SANs don’t just get copied

background

i’m writing some documentation for enabling mTLS in SONiC for telemetry.

there are basically 4 tasks:

1. setup a quick and dirty CA
2. generate Certificate Signing Requests (CSRs) on the devices of interest
3. sign the CSRs - generating certificates that contain the nibbly bits that allows for mTLS to work.
4. install signed certs into the devices/clients of interest

profit.

for #1, easy-RSA seemed like the move here. that took less than 5 minutes to setup courtesy of brew.sh and some judicious re-use of an old vars file for home use.

for #2 that was a small matter of configuration file generation and generating CSRs a la the openssl tools. no big whup. quick inspection of the CSR shows that it has the IP.# and DNS.# that i want in the SAN.

for #3 that appears to go swimmingly with no errors being emitted from the tooling.

record scratch … wait, a quick verification shows that there’s nothing in the SAN. where’d that stuff go?

there doesn’t seem to be a well formed solution here for making easy-rsa do this by default. but the following seems to do the trick in terms of allowing you to inject the necessary bits into the SAN. do the trick.

the key flags here are:

• --copy-ext - copies the extended attributes
• --san - allows the injection of the SAN bits into the signed cert.

easyrsa --san="IP:172.20.20.12" --copy-ext import-req switch-server.csr switch-server
easyrsa --copy-ext --san="IP:172.20.20.12" sign-req server switch-server

NB

i still haven’t definitively determined if there’s something horked in my vars file that i used when i generated the CA. this requires more digging in the code.