certmonger

#105 Expand getcert-request doc for -D option
Closed: fixed Opened by erinn.

Closed: fixed
Reopen Issue

As it currently stands:

   -D DNSNAME
          Add an extensionRequest for a subjectAltName, with the specified
          DNS name as its value, to the signing request.

I believe, and my testing has shown that for multiple SANs, they should be separated by commas, so: '-D foo.example.com,bar.example.com' but it is possible to do '-D foo.example.com -D bar.example.com' so I am not 100% sure what the 'right' way to do this is. For our needs the comma is the right approach to pass to an upstream CA, and commas seem to work with SelfSign, but I'll leave it to the experts. Any which way if the docs could clarify it would be great and it would help to clarify the info in the helpers.txt file as well for CERTMONGER_REQ_HOSTNAME

Finally if multiple -D options shouldn't happen, perhaps the code should check for that and stop it.

Thanks.

I retract my statement about commas after more research multiple -D's seem to be the way to do it. However, I would still suggest documenting this in more detail in the man page and in the helpers.txt file letting folks know that multiple entries will be separated by newlines.

-Erinn

I'm not sure what you mean by "separated by newlines". Each -D will create a new DNS SAN in the CSR.

If we have '-D foo.example.com -D bar.example.com' certmonger populates CERTMONGER_REQ_HOSTNAME='foo.example.com\nbar.example.com', or to put it slightly differently here is the code I wrote to basically make it a csv (python):
sans = ','.join(os.env.get('CERTMONGER_REQ_HOSTNAME', '').split('\n'))

Does that make more sense?

-Erinn

Is this what you had in mind?

https://pagure.io/certmonger/pull-request/106

Yeah I think that does it, thanks for putting it together, as mentioned I would have but I was unsure as to what the 'right' way was.

-Erinn

master: ba4c5049e9f83677c3a10f2b14ae70153715ccc4

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
Metadata
None
None
None
None
None
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.