Generated Certificate requests not working post-fulfillment

I’m using a Microsoft CA, so right off I’m stuck generating the certificate with no “template” as required by MS. I was able to manipulate the authority into supplying a “Web Server” template during generation, but had to use the CLI instead of the gui tools. More of an MS problem if you ask me, but solvable.

My problem is that my browser doesn’t like the certificates that are generated, complaining about a missing “Subject Alternative Name (SAN)”. Apparently modern browsers only accept certs with a SAN, even if the common name matches. Edge states:

“This server couldn’t prove that it’s pbx.domain.local; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.”

How can I get the SAN submitted with my cert? I’d like to submit something like an IP address as well. I know I could just issue the request with openssl, but then what good is this part of the module?

I have an active sysadmin pro module subscription on most if not all systems I manage.

How did you generate the CSR and does the FQDN actually end in .local?

I generated the CSR using FreePBX’s certificate management module. My apologies, that’s not commercial. The application of the cert to the website was using the commercial module. I moved the discussion to distro help.

The FQDN ends with “.priv”, and is only accessible from behind a firewall.

I’m using FreePBX running on Debian deployed using the sangoma freepbx script for install.

Why are you using an invalid TLD? Who signed this cert for you?

A domain certificate authority, also behind the firewall.

So you self-signed the certificate? You didn’t use a public issuer?

I did not use a public issuer, but I did use a domain trusted CA, which is still an external source and provides trusted signing in our org.

Is this something that is configurable after the request is made, at the CA?

Well .priv isn’t a valid TLD and I have no idea if you signed the cert correctly. The rules for TLS have changed in the last five years and it sounds like your self generated cert isn’t following some (or all) of those changes.

The server hostname matches the CN of the cert right?

I create the request from FreePBX certificate manager. I submit the request to the cert authority, adding a template attribute to the request via command line, so the cert request will be accepted. The request is accepted and a cert if generated and saved, now trusted by the authority. The authority signs all our domain certificates. I’m pretty sure that’s all how it works.

Yes, the server hostname matches the CN exactly.

In those last few years they’ve introduced stricter compliance with SAN attributes and now browsers like Edge don’t accept certs unless they’ve got a SAN attribute. As far as I understand certs, it needs to be part of the request in order to be applied to the certificate, and the request is coming from FreePBX certificate manager. I could possibly alter the request at the CA after I’ve generated it, as I’m doing with adding the template attribute, but it seems like a lot of learned, undocumented changes are required for this process to occur. Maybe this should be a bug report?

He’s using an enterprise signed certificate, which is a very sensible thing to do for an enterprise that is serious about security.

(“Self signed” seems to be misused here, to mean enterprise certificate. The only things that are normally self signed are the CA root certificates, and that applies to commercial signers’ roots, just as much as enterprise ones.

It is possible to use a truly self signed certificate, where the working certificate is its own CA, but the Asterisk certificate generator doesn’t work that way; it has a separate, self signed, root certificate, and corresponding secret key. and the server and client certificates are signed by that.)