add DNS name to CSR during rotation

karimra · May 17, 2023 · 871bebb · 871bebb
1 parent 0884b3d
commit 871bebb
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 29 deletions.
diff --git a/app/certInstall.go b/app/certInstall.go
@@ -29,7 +29,7 @@ func (a *App) InitCertInstallFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&a.Config.CertInstallCertificateID, "id", "", "Certificate ID")
 	cmd.Flags().StringVar(&a.Config.CertInstallKeyType, "key-type", "KT_RSA", "Key Type")
 	cmd.Flags().StringVar(&a.Config.CertInstallCertificateType, "cert-type", "CT_X509", "Certificate Type")
-	cmd.Flags().Uint32Var(&a.Config.CertInstallMinKeySize, "min-key-size", 1024, "Minimum Key Size")
+	cmd.Flags().Uint32Var(&a.Config.CertInstallMinKeySize, "min-key-size", 2048, "Minimum Key Size")
 	cmd.Flags().StringVar(&a.Config.CertInstallCommonName, "common-name", "", "CSR common name")
 	cmd.Flags().StringVar(&a.Config.CertInstallCountry, "country", "", "CSR country")
 	cmd.Flags().StringVar(&a.Config.CertInstallState, "state", "", "CSR state")
@@ -137,7 +137,6 @@ func (a *App) CertInstall(ctx context.Context, t *api.Target) error {
 			a.Config.CertInstallGenCSR = true
 		}
 	}
-
 	keyPair := new(cert.KeyPair)
 	var creq *x509.CertificateRequest
 
@@ -176,7 +175,7 @@ func (a *App) CertInstall(ctx context.Context, t *api.Target) error {
 		return err
 	}
 	a.Logger.Debugf("%q signed certificate:\n%s\n", t.Config.Address, sCertText)
-	// encode signed certifcate in PEM format
+	// encode signed certificate in PEM format
 	b, err := toPEM(signedCert)
 	if err != nil {
 		return fmt.Errorf("%q failed to encode as PEM: %v", t.Config.Address, err)
@@ -302,21 +301,24 @@ func (a *App) createRemoteCSRInstall(stream cert.CertificateManagement_InstallCl
 	if ipAddr == "" {
 		ipAddr = t.Config.ResolvedIP
 	}
+	csrParamsOpts := []gcert.CertOption{
+		gcert.CertificateType(a.Config.CertInstallCertificateType),
+		gcert.MinKeySize(a.Config.CertInstallMinKeySize),
+		gcert.KeyType(a.Config.CertInstallKeyType),
+		gcert.CommonName(commonName),
+		gcert.Country(a.Config.CertInstallCountry),
+		gcert.State(a.Config.CertInstallState),
+		gcert.City(a.Config.CertInstallCity),
+		gcert.Org(a.Config.CertInstallOrg),
+		gcert.OrgUnit(a.Config.CertInstallOrgUnit),
+		gcert.IPAddress(ipAddr),
+	}
+	if a.Config.CertInstallEmailID != "" {
+		csrParamsOpts = append(csrParamsOpts, gcert.EmailID(a.Config.CertInstallEmailID))
+	}
 	req, err := gcert.NewCertInstallGenerateCSRRequest(
 		gcert.CertificateID(a.Config.CertInstallCertificateID),
-		gcert.CSRParams(
-			gcert.CertificateType(a.Config.CertInstallCertificateType),
-			gcert.MinKeySize(a.Config.CertInstallMinKeySize),
-			gcert.KeyType(a.Config.CertInstallKeyType),
-			gcert.CommonName(commonName),
-			gcert.Country(a.Config.CertInstallCountry),
-			gcert.State(a.Config.CertInstallState),
-			gcert.City(a.Config.CertInstallCity),
-			gcert.Org(a.Config.CertInstallOrg),
-			gcert.OrgUnit(a.Config.CertInstallOrgUnit),
-			gcert.IPAddress(ipAddr),
-			gcert.EmailID(a.Config.CertInstallEmailID),
-		),
+		gcert.CSRParams(csrParamsOpts...),
 	)
 	if err != nil {
 		return nil, err

diff --git a/app/certRotate.go b/app/certRotate.go
@@ -79,6 +79,7 @@ func (a *App) RunECertRotate(cmd *cobra.Command, args []string) error {
 			ctx, cancel := context.WithCancel(a.ctx)
 			defer cancel()
 			ctx = metadata.AppendToOutgoingContext(ctx, "username", *t.Config.Username, "password", *t.Config.Password)
+
 			err = t.CreateGrpcClient(ctx, a.createBaseDialOpts()...)
 			if err != nil {
 				responseChan <- &TargetError{
@@ -133,6 +134,7 @@ func (a *App) CertRotate(ctx context.Context, t *api.Target) error {
 			a.Config.CertRotateGenCSR = true
 		}
 	}
+
 	keyPair := new(cert.KeyPair)
 	var creq *x509.CertificateRequest
 
@@ -163,6 +165,11 @@ func (a *App) CertRotate(ctx context.Context, t *api.Target) error {
 	if err != nil {
 		return fmt.Errorf("failed signing certificate: %v", err)
 	}
+	sCertText, err := CertificateText(signedCert, false)
+	if err != nil {
+		return err
+	}
+	a.Logger.Debugf("%q signed certificate:\n%s\n", t.Config.Address, sCertText)
 	b, err := toPEM(signedCert)
 	if err != nil {
 		return fmt.Errorf("failed toPEM: %v", err)
@@ -267,6 +274,7 @@ func (a *App) createLocalCSRRotate(t *api.Target) (*cert.KeyPair, *x509.Certific
 		EmailAddresses:     []string{a.Config.CertRotateEmailID},
 		SignatureAlgorithm: x509.SHA256WithRSA,
 		IPAddresses:        make([]net.IP, 0),
+		DNSNames:           []string{commonName},
 	}
 
 	if ipAddrs != nil {
@@ -300,21 +308,25 @@ func (a *App) createRemoteCSRRotate(stream cert.CertificateManagement_RotateClie
 	if ipAddr == "" {
 		ipAddr = t.Config.ResolvedIP
 	}
+	csrParamsOpts := []gcert.CertOption{
+		gcert.CertificateType(a.Config.CertRotateCertificateType),
+		gcert.MinKeySize(a.Config.CertRotateMinKeySize),
+		gcert.KeyType(a.Config.CertRotateKeyType),
+		gcert.CommonName(commonName),
+		gcert.Country(a.Config.CertRotateCountry),
+		gcert.State(a.Config.CertRotateState),
+		gcert.City(a.Config.CertRotateCity),
+		gcert.Org(a.Config.CertRotateOrg),
+		gcert.OrgUnit(a.Config.CertRotateOrgUnit),
+		gcert.IPAddress(ipAddr),
+	}
+	if a.Config.CertRotateEmailID != "" {
+		csrParamsOpts = append(csrParamsOpts, gcert.EmailID(a.Config.CertRotateEmailID))
+	}
+
 	req, err := gcert.NewCertRotateGenerateCSRRequest(
 		gcert.CertificateID(a.Config.CertRotateCertificateID),
-		gcert.CSRParams(
-			gcert.CertificateType(a.Config.CertRotateCertificateType),
-			gcert.MinKeySize(a.Config.CertRotateMinKeySize),
-			gcert.KeyType(a.Config.CertRotateKeyType),
-			gcert.CommonName(commonName),
-			gcert.Country(a.Config.CertRotateCountry),
-			gcert.State(a.Config.CertRotateState),
-			gcert.City(a.Config.CertRotateCity),
-			gcert.Org(a.Config.CertRotateOrg),
-			gcert.OrgUnit(a.Config.CertRotateOrgUnit),
-			gcert.IPAddress(ipAddr),
-			gcert.EmailID(a.Config.CertRotateEmailID),
-		),
+		gcert.CSRParams(csrParamsOpts...),
 	)
 	if err != nil {
 		return nil, err