src/node/util.ts: Make certificate generation "modern"

Now we add a subject alt name, set extendedKeyUsage and use the correct certificate extension. The above allow it to be properly trusted by iOS. See https://support.apple.com/en-us/HT210176 *.cert isn't a real extension for certificates, *.crt is correct for it to be recognized by e.g. keychain or when importing as a profile into iOS. Updates #1566 I've been able to successfully connect from my iPad Pro now to my code-server instance with a self signed certificate! Next commit will be docs.
coder · Oct 30, 2020 · bd2d1b5 · bd2d1b5
1 parent b6c1acc
commit bd2d1b5
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/doc/FAQ.md b/doc/FAQ.md
@@ -145,7 +145,7 @@ pass in an existing certificate by providing the path to `--cert` and the path t
 the key with `--cert-key`.
 
 The self signed certificate will be generated into
-`~/.local/share/code-server/self-signed.cert`.
+`~/.local/share/code-server/self-signed.crt`.
 
 If `code-server` has been passed a certificate it will also respond to HTTPS
 requests and will redirect all HTTP requests to HTTPS.

diff --git a/src/node/util.ts b/src/node/util.ts
@@ -55,7 +55,7 @@ export function humanPath(p?: string): string {
 }
 
 export const generateCertificate = async (): Promise<{ cert: string; certKey: string }> => {
-  const certPath = path.join(paths.data, "self-signed.cert")
+  const certPath = path.join(paths.data, "self-signed.crt")
   const certKeyPath = path.join(paths.data, "self-signed.key")
 
   const checks = await Promise.all([fs.pathExists(certPath), fs.pathExists(certKeyPath)])
@@ -64,7 +64,17 @@ export const generateCertificate = async (): Promise<{ cert: string; certKey: st
     // generate certificates.
     const pem = require("pem") as typeof import("pem")
     const certs = await new Promise<import("pem").CertificateCreationResult>((resolve, reject): void => {
-      pem.createCertificate({ selfSigned: true }, (error, result) => {
+      pem.createCertificate({ selfSigned: true, config: `
+[req]
+req_extensions = v3_req
+
+[ v3_req ]
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+`}, (error, result) => {
         return error ? reject(error) : resolve(result)
       })
     })