Skip to content

Commit 9c196b6

Browse files
FiloSottileFiloSottile
committed
Make CSR code match standard certificate generation
1 parent e28ee7d commit 9c196b6

File tree

1 file changed

+19
-9
lines changed

1 file changed

+19
-9
lines changed

cert.go

Lines changed: 19 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -225,22 +225,30 @@ func (m *mkcert) makeCertFromCSR() {
225225
fatalIfErr(err, "failed to parse the CSR")
226226
fatalIfErr(csr.CheckSignature(), "invalid CSR signature")
227227

228+
expiration := time.Now().AddDate(2, 3, 0)
228229
tpl := &x509.Certificate{
229230
SerialNumber: randomSerialNumber(),
230231
Subject: csr.Subject,
231-
ExtraExtensions: csr.Extensions, // includes requested SANs
232-
233-
NotAfter: time.Now().AddDate(10, 0, 0),
234-
NotBefore: time.Now(),
232+
ExtraExtensions: csr.Extensions, // includes requested SANs, KUs and EKUs
235233

236-
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
237-
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
238-
BasicConstraintsValid: true,
234+
NotBefore: time.Now(), NotAfter: expiration,
239235

240236
// If the CSR does not request a SAN extension, fix it up for them as
241237
// the Common Name field does not work in modern browsers. Otherwise,
242238
// this will get overridden.
243239
DNSNames: []string{csr.Subject.CommonName},
240+
241+
// Likewise, if the CSR does not set KUs and EKUs, fix it up as Apple
242+
// platforms require serverAuth for TLS.
243+
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
244+
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
245+
}
246+
247+
if m.client {
248+
tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
249+
}
250+
if len(csr.EmailAddresses) > 0 {
251+
tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageEmailProtection)
244252
}
245253

246254
cert, err := x509.CreateCertificate(rand.Reader, tpl, m.caCert, csr.PublicKey, m.caKey)
@@ -252,8 +260,8 @@ func (m *mkcert) makeCertFromCSR() {
252260
for _, ip := range csr.IPAddresses {
253261
hosts = append(hosts, ip.String())
254262
}
255-
if len(hosts) == 0 {
256-
hosts = []string{csr.Subject.CommonName}
263+
for _, uri := range csr.URIs {
264+
hosts = append(hosts, uri.String())
257265
}
258266
certFile, _, _ := m.fileNames(hosts)
259267

@@ -264,6 +272,8 @@ func (m *mkcert) makeCertFromCSR() {
264272
m.printHosts(hosts)
265273

266274
log.Printf("\nThe certificate is at \"%s\"\n\n", certFile)
275+
276+
log.Printf("It will expire on %s 🗓\n\n", expiration.Format("2 January 2006"))
267277
}
268278

269279
// loadCA will load or create the CA at CAROOT.

0 commit comments

Comments
 (0)