easyrsa3-quick-wildcardcert

easyrsa3-quick-wildcardcert

#!/bin/bash

FQDN="domain.local"
CERT_FILENAME="wildcard.${FQDN}"
CERT_COMMONNAME="*.${FQDN}"

wget "https://github.com/OpenVPN/easy-rsa/archive/master.zip"
unzip master.zip
mv easy-rsa-master/easyrsa3/ .
rm -rf master.zip easy-rsa-master/

cd easyrsa3
cp vars.example vars
#
# Edit vars file
#

# For EKU set clientAuth and serverAuth
# cp openssl-1.0.cnf openssl-1.0.cnf.original
# sed -ri '/^keyUsage = cRLSign, keyCertSign$/ a extendedKeyUsage = clientAuth, serverAuth' openssl-1.0.cnf
#
# To check if EKU is correct:
#
# openssl x509 -in pki/ca.crt -text -noout | grep -A1 'X509v3 Extended Key Usage'
#           X509v3 Extended Key Usage: 
#               TLS Web Client Authentication, TLS Web Server Authentication
#
# Now you can import it into your Browser or cert store
#

./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch --req-cn="${CERT_COMMONNAME}" gen-req ${CERT_FILENAME} nopass
./easyrsa --batch sign-req server ${CERT_FILENAME}
./easyrsa --batch gen-dh


# Haproxy bundle
# cat pki/private/

Hi, this is not working for me ( tested on chromium based browsers):

This server could not prove that it is sub.myhost; its security certificate is from *.myhost. This may be caused by a misconfiguration or an attacker intercepting your connection.

If I use "sub" instead of "*" it works for this specific subdomain

Because this gisthub page comes up in search results I thought it useful to close out this comment/question;

Wildcards cannot be used for "top level domains" such as .myhost or .local. There is a requirement for at least two .'s in the domain name, which is why the above commenter was unable to get the browser to recognise the cert as valid.

References:

• https://stackoverflow.com/questions/68514712/what-is-the-correct-way-to-generate-a-selfsigned-cert-for-localhost-wildcard
• OpenVPN/easy-rsa#260

It should work fine for *.myhost.local or similar.