Skip to content
  • Gregory Haskins's avatar
    [FAB-3456] cryptogen: Add support for x509 SANs · 5031b0a9
    Gregory Haskins authored
    The "What"
    This patch adds support for defining x509 "Subject Alternative
    Names" (SAN) (
    This feature allows an x509 to present multiple valid identities.
    For example, multiple DNS names representing one key-pair/cert.
    By default, all x509s generated are populated with two default
    SAN entries: CommonName and Hostname.  Users may extend this with
    additional definitions via the template engine.  See "cryptogen
    showtemplate" for details.
    The "Why"
    Peers deployed in certain contexts such as container orchastration
    platforms may find certain DNS relationships that can be complex.
    For instance, two containers "foo" and "bar" might have FDQNs
    "foo.baz.cluster.local" and "bar.baz.cluster.local" within Kubernetes,
    just "foo" or "bar" from within the "baz.cluster.local" domain, or
    a completely different DNS name if the services are mapped outside
    of the Kubernetes platform.  Different schemes may sometimes be easy
    to use in one context, and difficult to use in another.  SAN extentions
    to x509 means that we don't have to choose.  We can simply annotate the
    x509 for all the valid scenarios while still offering full security.
    Fixes FAB-3456
    Change-Id: Ie6a3864c5675f51097e0b4348bf05ba8c4ef3870
    Signed-off-by: default avatarGreg Haskins <>