From: Thomas Lamprecht Date: Mon, 13 Jan 2020 16:25:10 +0000 (+0100) Subject: certs: generate_csr: allow to set CN explicit X-Git-Url: https://git.proxmox.com/?p=pve-common.git;a=commitdiff_plain;h=0e4d81adb8de7a59d17df787e28671cf8b668fa2 certs: generate_csr: allow to set CN explicit Else, when used with ACME, the SAN is always sorted so we always get the Subject Alternative Name sorting alphabetically first, which doesn't necessarily has to be the "primary" domain. While this is rather cosmetically (all SANs are equal) it could still result it flapping CN when SANs and thus possibly the order changes, e.g., in our CDN mirror pool. It also doesn't costs anything to allow control over this, so why not.. Signed-off-by: Thomas Lamprecht --- diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm index 2421f3f..5bc9848 100644 --- a/src/PVE/Certificate.pm +++ b/src/PVE/Certificate.pm @@ -336,6 +336,9 @@ sub generate_csr { my $san = [ map { $_->{value} } grep { $_->{type} eq 'dns' } @$identifiers ]; die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san; + # optional + my $common_name = delete($attr{common_name}) // $san->[0]; + my $md = eval { Net::SSLeay::EVP_get_digestbyname($dig_alg) }; die "Invalid digest algorithm '$dig_alg'\n" if !$md; @@ -366,7 +369,7 @@ sub generate_csr { } }; - $add_name_entry->('CN', @$san[0]); + $add_name_entry->('CN', $common_name); for (qw(C ST L O OU)) { if (defined(my $v = $attr{$_})) { $add_name_entry->($_, $v);