minica
minica copied to clipboard
jsha
Option to enable PermittedDNSDomains
Hi!
Would you accept a PR that adds an option to fill in PermittedDNSDomains? I verified it works if I just add 2 lines to the template:
PermittedDNSDomainsCritical: true,
PermittedDNSDomains: []string{".local", ".me.dev"},
Then if I try to generate a cert for google.com it fails validation:
$ ./minica -domains google.com
$ openssl verify -CAfile minica.pem google.com/cert.pem
CN = google.com
error 47 at 0 depth lookup: permitted subtree violation
error google.com/cert.pem: verification failed
It'll take a bunch of changes to pass a new CLI option all the way up to makeRootCert
Have you looked at mkcert? https://github.com/FiloSottile/mkcert
It might be closer to what you're looking for.
On Sat, Apr 20, 2019, 07:23 Justin [email protected] wrote:
Hi!
Would you accept a PR that adds an option to fill in PermittedDNSDomains? I verified it works if I just add 2 lines to the template:
PermittedDNSDomainsCritical: true, PermittedDNSDomains: []string{".local", ".me.dev"},Then if I try to generate a cert for google.com it fails validation:
$ ./minica -domains google.com $ openssl verify -CAfile minica.pem google.com/cert.pem CN = google.com error 47 at 0 depth lookup: permitted subtree violation error google.com/cert.pem: verification failed
It'll take a bunch of changes to pass a new CLI option all the way up to makeRootCert
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jsha/minica/issues/26, or mute the thread https://github.com/notifications/unsubscribe-auth/AABVYLM6EJY5NQWJ7VOGQH3PRMQ6PANCNFSM4HHJYFPQ .
I have.. minica is what I'm looking for (easy ssl certs for local services and IoT crap). mkcert has the same issue with not being able to limit the scope of the CA anyway.