Webgui Https error NET::ERR_CERT_COMMON_NAME_INVALID

[danb35]

I'll assume (based on the bugs noted above), though I haven't yet tested, that 11-U1 does actually use the commonName as a SAN as well, but there's no field allowing you to specify additional SANs.

Now tested, and confirmed. Here's a cert I just generated on my FN11 box, for anyone else who wants to check:

Code:

-----BEGIN CERTIFICATE-----
MIIFmDCCA4CgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCR0ExDTALBgNVBAcMBGNpdHkxDDAKBgNVBAoMA29yZzEWMBQGA1UE
AwwNRnJlZU5BUyAxMSBDQTEUMBIGCSqGSIb3DQEJARYFZW1haWwwHhcNMTcwNzE1
MTA1OTA1WhcNMjcwNzEzMTA1OTA1WjBxMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
R0ExDTALBgNVBAcMBGNpdHkxDDAKBgNVBAoMA29yZzEiMCAGA1UEAwwZZnJlZW5h
czExLmZhbWlseWJyb3duLm9yZzEUMBIGCSqGSIb3DQEJARYFZW1haWwwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5IZdze+8bipRINetmATsX192s4rAq
J6qmQXQpqGci5wllkxT8wSrwIGQsJZFMFhlChspPz0WCnRIzQYyc+pSAEWJ9vNFb
NtxTKvH6/7qm/Og/dh0e+Uhg3wFbOJ4aBy21y9dk5Aob56bO2LmTfZ3omMUxoVR+
pk6M6T62i79TD7M7QM2ePNieW0PzMHp1bRXOViZIkhsCLiif0IeISDr7TJDue6Y4
ZBE7k30iw00gRqxC7cYbDiK1ktTGARpg7/ioa43bk4xTntsKW1MZl5c/qNXwf2Wq
3j+72GU+qzMDMGsJwqSvcu/zeJTCmoXlCoHNrgSS+2cljR9Z5JKQ5A4C0K2L33Te
sEbwC9fflPZrKyl4L5L+FIui9B9zHLmF5xue4rj/NHsu2jUt9o3xzzyeLFS42jiX
Lc614G+YZ+WAUHVQYsvBm6mGcVSK8dAgfsqlnYm7dtbfrA6vnVxMElZnuqW6JBpP
eNJYEEBeRz99hyGLTM7oSe6Cf0lxNUDbUP3PnE2AuB6AP37MXDVNeUfqOAZ5fHq5
luuzCh39hibLNKP3QP2h6Db6OBFiOoD8/+nrnUnvgQIutKQ+UFHo3CnDGhYvLZ71
11t9IhbRdTSTqT++0X2bnWbB2YhVCNMRIMGr59cRfz2Yl8WunGoLFDgDP6NwTLCx
1s2JfJme1hQyZQIDAQABo0cwRTAkBgNVHREEHTAbghlmcmVlbmFzMTEuZmFtaWx5
YnJvd24ub3JnMB0GA1UdDgQWBBTexOHWVCPLoQLkTUtJmPmNV6olCjANBgkqhkiG
9w0BAQsFAAOCAgEAkrW9Mr72CdB+thnr0fnPPop/Lrp8R+6Z71v7mglOWUuE5SO3
UL4zznXmCMvm/87ge2GFprHecXLLS1qzNQ2SFqKy9uBtUw+63tSlzZD4e+abGTrE
2U037Gfsa0EM177VPhtvqtVS5ZtUDvSS6cuvlppkr7iC0LLAQ/2zAEmraM2hdAMb
Bl2NpFQSRTcpDA/RXP3hCkqE9xDI+/EzeQRuH/47gV0+jm7jAKhHPs00NBBzBu8r
4NgI/Iya86xga6j2flrwVk2qQVlVBuC5Lf+nU2oa9PUMjltZ6/eSGN+Mg8r+LIQn
F4zoUSVVklwNFmxBLA++BnPGuvULVfmUyC7rTOyfnIUF5FO2gt0M7bc5qJLGU8hN
2OGs4noZRazLVMLVegdf1sNjiAvAg1nD9419D5noidsGQ/fL7U2kwWgulvcWSecU
bA3fIT295sWeoJafqdkCls9AVz8qXL5XYUYANAtPQTl5vcAF8rDt4502lzjDYpXf
lA0y4jXDKTlnGAvcx/af9ZPeP3t69cSJlUH3nk/FIkauBTY3JD4fDc0dqIbsVxAA
G0TCOjS6Vj5F8Nl55+OjgNkm9IgZ/jpCo1EQULvV1DegP7JtoqXLURZB3AJoWG5k
WKhw49e2KOcBp4shtO3zxT8mNq8IHVKJDZfobZcJxCGeEwnXkBCA44ONVJk=
-----END CERTIFICATE-----

It does have a SAN, but the SAN is just set to equal the CN and can't be changed through the FreeNAS web GUI. This would fix OP's problem, but wouldn't address any other possible uses of the SAN field.

 

[zoomzoom]

Well, not everyone; I use the hostname.

It's been long enough since I used a consumer router that I don't know if it's a common capability, but my pfSense router, and my Linux server/router before that, both provid(ed) local DNS, and both make it easy to add a hostname -> IP mapping. Given that capability, why would you prefer to remember IPs for whatever you need to manage? Isn't that kind of the point of DNS?

To each their own, as one should utilize whichever way they're used to/is most efficient for them =]

You might be thinking at this point that this is getting a bit overly obsessive. You're probably right, but I'd counter that wanting to use SSL on a home LAN is probably a bit overly obsessive as well. And I'd suspect that pretty much anyone who has the ability to do anything even remotely intelligent with SSL, probably also has the capability to set up local DNS so they can use hostnames.

I don't think you're being overly obsessive, we just have different approaches to the same solution. For LANs, the issue comes down to basic security, as unless one is utilizing an SSL cert for WebUI logins, the password is passed via plaintext, which should never be allowed, regardless if one is the only one on a LAN or not. If one is okay with passing a WebUI's password over plaintext, then why has one created a password for that WebUI to begin with?

As a side note, and touching on a discussion we had some time back in another thread, your response here illustrates a drawback to your preferred MO of "continuously edit your post unless/until someone else has replied to the thread." I got an email notification of your reply, which at the time contained only one sentence. After I visited the thread to see that, I got no further notification of anything else (since there were no new posts).

As to editing posts, I've come across a few threads on this forum over the years of a user being reprimanded for trolling by moderators for adding new post after new post, instead of simply editing their original post if no one has replied yet. It seems not all moderators are on the same page on this... either way, from a simple efficiency standpoint, it's impractical and inefficient to post new post after new post, rather than simply editing the current post. Email alerts are an entirely separate issue and have no bearing on this, however, when replying to your posts in the future, if I have to make major edits, I'll delete and repost the edited post, which will issue an alert with the updated edits.

 

[zoomzoom]

Now tested, and confirmed. Here's a cert I just generated on my FN11 box, for anyone else who wants to check:

It does have a SAN, but the SAN is just set to equal the CN and can't be changed through the FreeNAS web GUI. This would fix OP's problem, but wouldn't address any other possible uses of the SAN field.

While this can be fixed via editing the ssl creation script, there's three clear problems I see with that cert, and thereby all certs generated via the WebUI:

1. No KU specifying it's key usages, which for a Web/VPN server cert should be: keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
   • This will result with Digital Signature, Non-Repudiation, Key Encipherment, Key Agreement (e8) under Key Usage in the cert
     • Technically, only nonRepudiation, keyEncipherment are required, however specifying nonRepudiation, digitalSignature, keyEncipherment, keyAgreement allows for all encryption protocol possibilities
2. No EKU, or OID 1.3.6.1.5.5.7.3.1, specifying it's Extend Key Usage as a server cert (opening up the opportunity for a MITM attack if utilizing it as a Web or VPN server cert), or specification as a client cert if utilizing it as a VPN client cert.
3. It lacks Basic Constraints ( basicConstraints = critical, CA:FALSE), of which all non-CAs/non-ICAs must always have.

 

[danb35]

there's three clear problems I see with that cert

Sounds like a good bug report.

 

[danb35]

if I have to make major edits, I'll delete and repost the edited post, which will issue an alert with the updated edits.

...which it did. I'd disagree that "Email alerts are an entirely separate issue and have no bearing on this", as they're part of how the forum works, and what we do with posting should be informed by how the forum works.

I'm not dogmatic either way. I do what I do, and so far I haven't seen anyone complain about it. I'm certainly not asking you to take special care on my account; do what you want to do, and most likely it will be fine as well. But there are pros and cons to everything, and I thought what happened with that post was a good illustration of one of the cons. In any event, thread-jack over.

 

[zoomzoom]

It's worth a shot [filing a bug report], as the WebUI's config files would also need to be edited to create a box for passing additional arguments to the openssl script... however how passing those could be implemented in a sane manner would likely require a decent amount of time on reworking that script.

For example. here is my WebUI server cert [chained with ICA & CA to demonstrate chain of trust] showing what the above would like like in a cert:

Code:

-----BEGIN CERTIFICATE-----
MIIFdjCCA16gAwIBAgICBE0wDQYJKoZIhvcNAQENBQAwbzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAlVTMRAwDgYDVQQHDAdEYXZpbmNpMRMwEQYDVQQKDApTb3Bob3Mg
VVRNMRMwEQYDVQQLDApGcmVlTkFTIDExMRcwFQYDVQQDDA5GcmVlTkFTIDExIElD
QTAeFw0xNzA3MDkxNjE1MTJaFw0yNzA3MDcxNjE1MTJaMHExCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJVUzEQMA4GA1UEBwwHRGF2aW5jaTETMBEGA1UECgwKU29waG9z
IFVUTTETMBEGA1UECwwKRnJlZU5BUyAxMTEZMBcGA1UEAwwQRnJlZU5BUyAxMSBX
ZWJVSTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMpF1+Mv3jJoirJG
fXWCoDxMZKQyCnUQQkjc6A5BqiBKno4xt+/o6CZVO4aC2P/DI6rbgp7gIOjdA/QV
LspiftXB0mBU24oQPAI3vSXW47/p0rW8oQkX2nLyQ/mtwjN+VanEyDYM9kZdLFFY
4T3GLYCZvn+4tUWKyjX+3fsYAaRxxPKgDyF7Kfd/OR0PwUfLn/15PvSXRbPPeWXC
Cvk7e8UJg6AOLlBqNSWQaDIJYWYELIMNOB5mH6q1ebE2iqwPvd7tZJ1PDQvdyNl8
vGIjHYRX6BIolERlJbKUlwZFd7QsIZFRUbWiB4mS4WCEFgWmML5LCHC0C83TkTnJ
JpnlVvECAwEAAaOCARgwggEUMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJiNP2en
VguIBAfqDhmbCQu8gESTMIGVBgNVHSMEgY0wgYqAFOrywTxRKWbPYsvqYwU+5Ixq
To+foW6kbDBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVVMxEDAOBgNVBAcMB0Rh
dmluY2kxEzARBgNVBAoMClNvcGhvcyBVVE0xDzANBgNVBAsMBlNvcGhvczEWMBQG
A1UEAwwNU29waG9zIFVUTSBDQYICBEwwDgYDVR0PAQH/BAQDAgPoMBYGA1UdJQEB
/wQMMAoGCCsGAQUFBwMBMCUGA1UdEQQeMByCCEZyYWN0YWxzhwR/AAABhwTAqMgX
hwTAqMhkMA0GCSqGSIb3DQEBDQUAA4ICAQCJDQu/dvp7l/lmXXOEz1FEpsq0zt+D
esEX5JkGVxzBGhDpRQKrlbyixkVDs4HauEAmFGuAxyzGJTTPfDx2/s/ZdwcNLdnJ
WxDnOLvr1ByNmCWaLXlN3+yCoIGfQ5teuTxeSwJgIm/Fi+01FeR4YDLk3fc3fJp9
pqIx575O+nJfFHF5l3M993RLpkcifBbHiCtxshuUphG2ZYZTPPbF0a0F+G7Rgrjq
tFmL1vHzxnrWgidsNL/J8Ix4Fv3LOiGADKVMXFPBoi6OOGzAK1Q/AD+1XCcnsx9/
PUuwP8IZiDt4Pl0GLjwTWdyRWpRcUXt/G0ZO2+NpQhc/bgVHIXSpBMgMNhIZpBem
ixSBkB4LEZ84mlh6wiSbEht7Ul1jwZM+Rh+0nz6i3OUiAvtsLzmdYsLMHBl+5Ifz
H0NdyQ88U2Nuq6km27TdJj0nvG9OX/VAZxGUuQSlXfpIcgs3RSsetv8jNfOhFbf+
Xkw27xbyBpVAEZHD/EgrmVIrTSkGicTAzlP2HCcZx7QdELI/EEjAw4kf9ZLeSGqC
iYib4PE8tCRMYGWPXNfkN80mv/PsLoh1zi2sQXr7OZBZVEfCkexfgyb4BwHqgL0X
0oC5E/fHYuJmNzQ73VnTW/ZkWUFOQNUf6GYC/qs/S7RwqvXsJjmpKUyLP23XROfw
jMsPC2oD0s/pSA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGTzCCBDegAwIBAgICBEwwDQYJKoZIhvcNAQENBQAwajELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAlVTMRAwDgYDVQQHDAdEYXZpbmNpMRMwEQYDVQQKDApTb3Bob3Mg
VVRNMQ8wDQYDVQQLDAZTb3Bob3MxFjAUBgNVBAMMDVNvcGhvcyBVVE0gQ0EwHhcN
MTcwNzA5MTQ1OTM4WhcNMjcwNzA3MTQ1OTM4WjBvMQswCQYDVQQGEwJVUzELMAkG
A1UECAwCVVMxEDAOBgNVBAcMB0RhdmluY2kxEzARBgNVBAoMClNvcGhvcyBVVE0x
EzARBgNVBAsMCkZyZWVOQVMgMTExFzAVBgNVBAMMDkZyZWVOQVMgMTEgSUNBMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1JTPknc68l8n2OhxGX5t11GK
9T5+uVUDen1R0tZpgMeiD12GXjJK4k6L8ihysxUGnfO28DqzNQ23DsejxdxoXvYt
z+gXMDFBrEYdh8bKJ+yxyaUPFNARFTzs6LUwHHHv5kBQh92Ar+0NrUEzgk5RX7Lx
Ot+4KlO3hVaEvcdYDls4FxHX3DnVeXfrVwHsycMgMIbP0pUtinIccMoMaLUI+ALA
Zeqyl6i605U0acJGTO/vE96LEGvSL0XAJair6Vc+exgLyI9B9fQphLS2qtHmndJ+
0LUgXZ3f2ds42iZs68fzF9e+TnuWb5YX6YduGK+wDlKKsGhIKi5BLrfWEDGfcHtm
4FOODTm7rgFpsLgGd5r9RlR9VhUUL+kgB9v3muU160HIYU2YfAtT20ISVpYnuNCv
hXYrRITT2lY0cNCdt+0Xki3eh5dTx3npkzlzxQppYhbUJMEuPq6ReXzFiHh9GzIJ
Xf53jbtTOAKyH3PgQUv69ZR2xdTKLgIst/wMI9embRW/oXXi1SMjeXJ3FSUDhWJs
W8qtzTnAeL4i2m6xPRt0mTrR1JAAeWjDi0R+Yb1xK1Ci3pRQ0EcMC+IvB868Iz0l
9u0hHvRw0v7MOORwR6ew7K4oelKBQFl59eYlijoQZg2axI8F1Wy0OZ8AY8ZqHw4g
9gHRgQO4wRm9CSV8ShMCAwEAAaOB+TCB9jASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdDgQWBBTq8sE8USlmz2LL6mMFPuSMak6PnzCBlQYDVR0jBIGNMIGKgBSUmTYe
8KJTyGFhsuR/jPCsthTZHqFupGwwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlVT
MRAwDgYDVQQHDAdEYXZpbmNpMRMwEQYDVQQKDApTb3Bob3MgVVRNMQ8wDQYDVQQL
DAZTb3Bob3MxFjAUBgNVBAMMDVNvcGhvcyBVVE0gQ0GCAgPoMA4GA1UdDwEB/wQE
AwIBhjAZBgNVHREEEjAQgghGcmFjdGFsc4cEfwAAATANBgkqhkiG9w0BAQ0FAAOC
AgEAf17Nm7p+ghBYLqhd+Muu851oMEsMEiUkv5w1p/TaZITkXPaXlEvbh9eVn3ba
8dXIkWrGl30F+vhifhP/amqb7lMloFFf+BlSJ9ZH79rtT9olomgJANrqai33XBmC
SM+/yUXZKoJqvKy6IA4fNfkEKAPAEdtEJQCa1Bb8ViHPnjZcoNSwuwdKileZrdy+
9v7RxAN3tTg4TiB2lgHnQKtP8pnIQ+jG2E3ghkcAsqwwkgmNzlSKVPaHamVXbcyg
HfQr0b8io/uysWPK6sGhRmi+U92Lt57fAw4Jmr7YvRo5R5Vp24qW/QXCOYF/x0Ea
kciHycQKte2ECUOHFy7wYaDczxeCYFIB7tSVIeWyMi7ib90o9NteqJPb76Fc0nAy
9bGwsfZ79rk6+yoBn4G0qstlb9IghjzkK26I98YyQyVokY6XnRIp7WirNtXIc9J7
TAR3SmzxRss0CaGrL5lcA1B5RVnEcVyAvg1A4RcdE7hHanEPk4QadQ6kGf8pAr74
6eq5brn/Sv++8I1Ct6uQSdynubsTWCCyya/dTSpCXhBLhCGb3L5K9m67SGMd35qy
WoIPq+SvePydvd/I/ujMhMLSVMG/jOm2qRXco4HVg1+VeoFwO4NOCd0CZWNJTTN7
yXwx2KWX0tCSFBLUM1pYNsM/gcQH8tlKCZke5AlKTKZ76/E=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGVzCCBD+gAwIBAgICA+gwDQYJKoZIhvcNAQENBQAwajELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAlVTMRAwDgYDVQQHDAdEYXZpbmNpMRMwEQYDVQQKDApTb3Bob3Mg
VVRNMQ8wDQYDVQQLDAZTb3Bob3MxFjAUBgNVBAMMDVNvcGhvcyBVVE0gQ0EwHhcN
MTcwNzA5MTQzOTE5WhcNMjcwNzA3MTQzOTE5WjBqMQswCQYDVQQGEwJVUzELMAkG
A1UECAwCVVMxEDAOBgNVBAcMB0RhdmluY2kxEzARBgNVBAoMClNvcGhvcyBVVE0x
DzANBgNVBAsMBlNvcGhvczEWMBQGA1UEAwwNU29waG9zIFVUTSBDQTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAK+i3BBvYaZDIpeFKZ/PMcOGOvtmsW83
AQ+AOUG1425YqBsvqwDF6XPNUd/QSvpMr/f9svODb3NEaIzO/LmQV/+eVlEYCDAp
UqKnna8PGkGggx2DaiXoK+DokRuWLh+Bkoj97RQJn8zlEmmFO1bud/+vizPjfyJh
8GIjS41F3EbGjfyIHc9FNvalYZ9ANf0fGPfh8/jpiuuglgB0VSz8gpjbxiHFQgVM
90EcYQyGU0xk20RjpNEjxN1ipTGz9fi/oC4Vf4cqLk/XpuYzWtZBzN7Eqz4zNe8F
C72m85o/1SFQAO0Na3PxFLzxwD9srTTYNjHCOmcZnUOLN8nstGFeGslPeUGKEhZK
qdUlqDbVgqtdOMbvDTvedRmmv9ERk7YKV4ddMDpFp+3wKvf38b8x+Qi2EZ8eCo3w
AB1/41YFI1aptMjCxqipN0qEwBkjb0L8WDFbkcNsnzWfQU36G5WQnNVDsW1LuBW7
znDNCAFVDSOumSayTkUurRBJPgSrQOX80+aBTpy4ofMyNQnQ08MnMdliEH4iZ/lo
De7FrvqYvMF9KR75yE95eufStXZJUKstmgQlTxtDxc7JgagpQLubi42vaHQTMuHj
pX6y4IiiHwl6SiK+nLAJcpZVKytHA02+3Ih0SyCGRXuXQLcP+BIx2dLtVO/xCvOs
Wy94TgyU66dHAgMBAAGjggEFMIIBATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSUmTYe8KJTyGFhsuR/jPCsthTZHjCBlQYDVR0jBIGNMIGKgBSUmTYe8KJTyGFh
suR/jPCsthTZHqFupGwwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlVTMRAwDgYD
VQQHDAdEYXZpbmNpMRMwEQYDVQQKDApTb3Bob3MgVVRNMQ8wDQYDVQQLDAZTb3Bo
b3MxFjAUBgNVBAMMDVNvcGhvcyBVVE0gQ0GCAgPoMA4GA1UdDwEB/wQEAwIBhjAn
BgNVHREEIDAeggpzb3Bob3MtdXRtggpTb3Bob3MtVVRNhwR/AAABMA0GCSqGSIb3
DQEBDQUAA4ICAQARHWlizewTS/4/CQflUGzRWcBX1PivKQ45P5g82VmG7Khw4oHp
DY5NxenB+p6zMD3g4P4m3FzeO70tkyzQiIsLXG3o0WpyekobmzTcM7sWrIZSWYGf
fgv6qz9pZyZhAgqXSBl1UXu8UEtlkHVIH3oCyESoRsXBfN/uSkEI5kqZyybqPUTW
HiMRhY4TVXyPD8xK817+BWkxpBwzujAnlDyw/PsmKjpIJOC8Yhg63ft2Q9fhXe8C
0CckYb2+4vEnaBclwdfk7WzoI2a9AfEHbi7Ew36cSL/fXWpjQm5SFcCfQ+0o7W7V
aaZnrpMwF4CdITDaM0B72GsUk1wN14cbaljxPgk+gZDhPWZGuUCNZpDTAV5cNvVP
tJa13H1gCAWB4M9AzWYNLz5oZ3oB9wBMvGkRX7OE6GfldxDxf6y5FYJiiE9Qvpag
hTXZ/MRGmPiRQEakWX7ALaV/RI4Fci/LM6scvTXB4gv4ePPNr1APJbmWsG6I0sPE
3QS2qgVW77viq6Gw3+dK2SUA4op/eeoQ0E3oa75JoQCSXSlgBR4EEJFxR/FpCZR1
DoDXQSu7fFEj6WWiNLsVwStLgUBBXv3l+fIAme2n8YZukkWUdauL3+zMyuTH2DBu
t3ZUzBKjjlOBiVjbJQAjKts8E58c4puFkVLcAgcaWIWK2lZtE1t5Yt9PSg==
-----END CERTIFICATE-----

 

[danb35]

It's worth a shot [filing a bug report], as the WebUI's config files would also need to be edited to create a box for passing additional arguments to the openssl script

Would that be necessary? I don't think FreeNAS is intended to serve as a general-purpose CA. Could it generate web-server certs, properly configured, without additional user input over what's already required?

 

[zoomzoom]

Would that be necessary? I don't think FreeNAS is intended to serve as a general-purpose CA. Could it generate web-server certs, properly configured, without additional user input over what's already required?

Without user input, it would have to be configured to always issue server certs or always issue client certs (though a checkbox could simply be added to the WebUI to check if it's a client cert, thereby negating having to implement typed input).

• Having it only issue server certs with the following set in the openssl.cnf should suffice:

Code:

[ CA_default ]
x509_extensions		 = usr_cert_not_dn

[ usr_cert_not_dn ]
basicConstraints		= critical, CA:FALSE
subjectKeyIdentifier	= hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage				= critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage		= critical, serverAuth

• This post provides a good explanation of which Key Usages allow what ciphers

 

[danb35]

I'm thinking that the real intent of this system in the GUI is to create certs for the FreeNAS box itself, with some possible thought given to using it to create certs for other servers on the LAN. I don't think (though I could certainly be wrong in this regard) it was ever intended to create client certs.

 

[zoomzoom]

@danb35 Great point =]

 

[q_fleuren]

I've updated my system to FN 11

Where indeed the problem seems solved half the time.

It seems at random times the CA will still not include the SAN common name.
regenerating the same Ca with same settings will half of the time fix that :D

 

[zoomzoom]

@q_fleuren Please file a bug report and post the link back here.