Skip to content

Commit

Permalink
renew: Move SAN critical into SAN detected step
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Jul 29, 2024
1 parent 30fe311 commit 81256ce
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions dev/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -1007,14 +1007,6 @@ Cannot renew this certificate, a conflicting file exists:
# Extract certificate usage from old cert
ssl_cert_x509v3_eku "$crt_in" cert_type

# --san-crit
unset -v EASYRSA_SAN_CRIT
if grep -q 'X509v3 Subject Alternative Name: critical' "$crt_in"
then
export EASYRSA_SAN_CRIT='critical,'
verbose "renew: --san-crit ENABLED"
fi

# Use SAN from old cert ONLY
if grep 'X509v3 Subject Alternative Name' "$crt_in"; then
EASYRSA_SAN="$(
Expand All @@ -1025,6 +1017,15 @@ Cannot renew this certificate, a conflicting file exists:
)" || die "renew - EASYRSA_SAN: easyrsa_openssl subshell"
verbose "renew: EASYRSA_SAN: ${EASYRSA_SAN}"

# --san-crit
unset -v EASYRSA_SAN_CRIT
if grep -q 'X509v3 Subject Alternative Name: critical' \
"$crt_in"
then
export EASYRSA_SAN_CRIT='critical,'
verbose "renew: --san-crit ENABLED"
fi

export EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
Expand Down

0 comments on commit 81256ce

Please sign in to comment.