Add support for certificates with client and server auth and URL SANs

FiloSottile · May 28, 2019 · 28f2619 · 28f2619
1 parent bf08925
commit 28f2619
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 9 deletions.
diff --git a/cert.go b/cert.go
@@ -20,6 +20,7 @@ import (
 	"math/big"
 	"net"
 	"net/mail"
+	"net/url"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -70,15 +71,19 @@ func (m *mkcert) makeCert(hosts []string) {
 			tpl.IPAddresses = append(tpl.IPAddresses, ip)
 		} else if email, err := mail.ParseAddress(h); err == nil && email.Address == h {
 			tpl.EmailAddresses = append(tpl.EmailAddresses, h)
+		} else if uriName, err := url.Parse(h); err == nil && uriName.Scheme != "" {
+			tpl.URIs = append(tpl.URIs, uriName)
 		} else {
 			tpl.DNSNames = append(tpl.DNSNames, h)
 		}
 	}
 
+	tpl.ExtKeyUsage = []x509.ExtKeyUsage{}
 	if m.client {
-		tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
-	} else if len(tpl.IPAddresses) > 0 || len(tpl.DNSNames) > 0 {
-		tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+		tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
+	}
+	if m.server && (len(tpl.IPAddresses) > 0 || len(tpl.DNSNames) > 0 || len(tpl.URIs) > 0) {
+		tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
 	}
 	if len(tpl.EmailAddresses) > 0 {
 		tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageEmailProtection)
@@ -157,7 +162,7 @@ func (m *mkcert) fileNames(hosts []string) (certFile, keyFile, p12File string) {
 	if len(hosts) > 1 {
 		defaultName += "+" + strconv.Itoa(len(hosts)-1)
 	}
-	if m.client {
+	if m.client && !m.server {
 		defaultName += "-client"
 	}
 

diff --git a/main.go b/main.go
@@ -13,6 +13,7 @@ import (
 	"log"
 	"net"
 	"net/mail"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -49,6 +50,9 @@ const advancedUsage = `Advanced options:
 	-client
 	    Generate a certificate for client authentication.
 
+	-server
+	    Generate a certificate for server authentication. Enabled by default.
+
 	-ecdsa
 	    Generate a certificate with an ECDSA key.
 
@@ -82,6 +86,7 @@ func main() {
 		pkcs12Flag    = flag.Bool("pkcs12", false, "")
 		ecdsaFlag     = flag.Bool("ecdsa", false, "")
 		clientFlag    = flag.Bool("client", false, "")
+		serverFlag    = flag.Bool("server", true, "")
 		helpFlag      = flag.Bool("help", false, "")
 		carootFlag    = flag.Bool("CAROOT", false, "")
 		csrFlag       = flag.String("csr", "", "")
@@ -117,7 +122,7 @@ func main() {
 	}
 	(&mkcert{
 		installMode: *installFlag, uninstallMode: *uninstallFlag, csrPath: *csrFlag,
-		pkcs12: *pkcs12Flag, ecdsa: *ecdsaFlag, client: *clientFlag,
+		pkcs12: *pkcs12Flag, ecdsa: *ecdsaFlag, client: *clientFlag, server: *serverFlag,
 		certFile: *certFileFlag, keyFile: *keyFileFlag, p12File: *p12FileFlag,
 	}).Run(flag.Args())
 }
@@ -126,10 +131,10 @@ const rootName = "rootCA.pem"
 const rootKeyName = "rootCA-key.pem"
 
 type mkcert struct {
-	installMode, uninstallMode bool
-	pkcs12, ecdsa, client      bool
-	keyFile, certFile, p12File string
-	csrPath                    string
+	installMode, uninstallMode    bool
+	pkcs12, ecdsa, client, server bool
+	keyFile, certFile, p12File    string
+	csrPath                       string
 
 	CAROOT string
 	caCert *x509.Certificate
@@ -194,6 +199,9 @@ func (m *mkcert) Run(args []string) {
 		if email, err := mail.ParseAddress(name); err == nil && email.Address == name {
 			continue
 		}
+		if _, err := url.Parse(name); err == nil {
+			continue
+		}
 		punycode, err := idna.ToASCII(name)
 		if err != nil {
 			log.Fatalf("ERROR: %q is not a valid hostname, IP, or email: %s", name, err)