Skip to content

Check whether a CSR can always have a wildcard SAN

Description

In Onionmine, and also in Onionspray, the HTTPS keys and self-certificate generation procedure involves creating a CSR so the operator can opt to apply for a CA-issued certificate.

It's preferred having a CSR ready for most use cases, like one that works either for wildcard certificates or those with only a single .onion address.

The procedure on the CA-side involves parsing and validating the CSR, which may imply in accepting, rejecting or skipping SANs, so it's worth checking whether or not the wilcard SAN should be always added.

Tasks

  • Uniformize:
  • Check:
    • Check with CAs about what they do when a wilcard is found in a order for a single .onion address:
      • What HARICA does?
        • Ask them.
        • Document Q&A once/if a response is given.
      • What Digicert does?
        • Ask them.
        • Document Q&A once/if a response is given.
    • Check whether there's a spec on this or if it's an implementation decision.
  • If the CSR is rejected due to mistmatching SANs (like a wildcard):
    • Fix Onionmine's implementation to generate two CSRs:
      • One with only the single .onion address.
      • One with a wildcard.
      • Documentation update to reflect the change.
    • Fix Onionspray's implementation to generate two CSRs:
      • One with only the single .onion address.
      • One with a wildcard.
      • Documentation update to reflect the change.
    • Fix Oniongroove's implementation to generate two CSRs:
      • One with only the single .onion address.
      • One with a wildcard.
      • Documentation update to reflect the change.
    • Update the Ecosystem documentation (ecosystem#14) accordingly.
  • If the CSR is NOT rejected due to mistmatching SANs (like a wildcard):

Time estimation

  • Complexity: very small (0.5 day)
  • Uncertainty: low (x1.1)
  • Reference (adapted)
Edited by Silvio Rhatto