Skip to content

Commit 04eb1b9

Browse files
mattstauffermattstauffer
authored
Merge pull request #1531 from Tugzrida/fix-openssl-strict-mode
fix(TLS): create OpenSSL strict-mode compliant certs
2 parents 8714103 + 631fb7a commit 04eb1b9

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

cli/Valet/Site.php

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -570,7 +570,7 @@ public function createCa(int $caExpireInDays): void
570570
));
571571

572572
$this->cli->runAsUser(sprintf(
573-
'openssl req -new -newkey rsa:2048 -days %s -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s"',
573+
'openssl req -new -newkey rsa:2048 -days %s -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s" -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,digitalSignature,keyCertSign" -addext "subjectKeyIdentifier=hash"',
574574
$caExpireInDays, $oName, $cName, '[email protected]', $caKeyPath, $caPemPath
575575
));
576576
$this->trustCa($caPemPath);
@@ -614,7 +614,7 @@ public function createCertificate(string $url, int $caExpireInDays): void
614614

615615
$this->buildCertificateConf($confPath, $url);
616616
$this->createPrivateKey($keyPath);
617-
$this->createSigningRequest($url, $keyPath, $csrPath, $confPath);
617+
$this->createSigningRequest($url, $keyPath, $csrPath);
618618

619619
$caSrlParam = '-CAserial "'.$caSrlPath.'"';
620620
if (! $this->files->exists($caSrlPath)) {
@@ -646,11 +646,11 @@ public function createPrivateKey(string $keyPath): void
646646
/**
647647
* Create the signing request for the TLS certificate.
648648
*/
649-
public function createSigningRequest(string $url, string $keyPath, string $csrPath, string $confPath): void
649+
public function createSigningRequest(string $url, string $keyPath, string $csrPath): void
650650
{
651651
$this->cli->runAsUser(sprintf(
652-
'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/" -config "%s"',
653-
$keyPath, $csrPath, $url, $url, '@laravel.valet', $confPath
652+
'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/"',
653+
$keyPath, $csrPath, $url, $url, '@laravel.valet'
654654
));
655655
}
656656

cli/stubs/openssl.conf

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,11 @@ commonName_max = 64
1616

1717
[ v3_req ]
1818
# Extensions to add to a certificate request
19-
basicConstraints = CA:FALSE
20-
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
19+
basicConstraints = critical,CA:FALSE
20+
keyUsage = critical,nonRepudiation, digitalSignature, keyEncipherment
2121
subjectAltName = @alt_names
22+
authorityKeyIdentifier = keyid
23+
subjectKeyIdentifier = hash
2224

2325
[alt_names]
2426
DNS.1 = VALET_DOMAIN

0 commit comments

Comments
 (0)