Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected
As we're all aware, changes to how Chrome (and possibly other browsers in the future) disregard the common name field of an SSL certificate are making specifying correct SAN records in generated SSL certificates more important.
In pfSense, an IP address entered as a SAN on the certificate generation page results in an incorrect SAN record in the resulting certificate with the IP address understood as a FQDN/hostname rather than an IP. The final ssl cert SAN record ends up looking like "DNS Name=192.168.42.1" instead of "IP=192.168.42.1".
pfSense should parse the contents of the SAN fields submitted by the user and specify the correct SAN type during certificate generation. Hostnames and FQDNs should continue to use the DNS SAN record type, but IP addresses (obligatory "remember to include IPv6 parsing" reminder) should use the IP=a.b.c.d record type instead.
Fix certificate SAN input validation so it does not improperly allow an IP address when FQDN is selected. Fixes #8275
#1 Updated by Jim Pingle almost 3 years ago
- Subject changed from Certificate SAN (Subject Alternative Name) generated incorrectly for IP addresses to Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected
- Assignee set to Jim Pingle
- Priority changed from Normal to Very Low
- Affected Version set to All
The user specifies the SAN type when making entries in the SAN list. If you choose "IP Address" it makes proper entries.
The only case for a bug here is that input validation doesn't reject an IP address made using the "FQDN or Hostname" selection.
You can work around your issue by properly selecting "IP Address" for the Type field in the Alternative Names list when creating a certificate.