Allow specifying CN, SANS DNS, SANS IP for auto-generated certificate

gen/gen.go

@@ -12,13 +12,14 @@ import (
 	"fmt"
 	"log"
 	"math/big"
+	"net"
 	"os"
 	"time"
 )
 
 // Keys generates a new P256 ECDSA public private key pair for TLS.
 // It returns a bytes buffer for the PEM encoded private key and certificate.
-func Keys(validFor time.Duration) (cert, key *bytes.Buffer, fingerprint [32]byte, err error) {
+func Keys(validFor time.Duration, cn, dns, ip string) (cert, key *bytes.Buffer, fingerprint [32]byte, err error) {
 	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		log.Fatalf("failed to generate private key: %s", err)
@@ -39,6 +40,7 @@ func Keys(validFor time.Duration) (cert, key *bytes.Buffer, fingerprint [32]byte
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"ssl-proxy"},
+			CommonName:   cn,
 		},
 		NotBefore: notBefore,
 		NotAfter:  notAfter,
@@ -47,6 +49,12 @@ func Keys(validFor time.Duration) (cert, key *bytes.Buffer, fingerprint [32]byte
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 	}
+	if dns != "" {
+		template.DNSNames = []string{dns}
+	}
+	if ip != "" {
+		template.IPAddresses = []net.IP{net.ParseIP(ip)}
+	}
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
 	if err != nil {

main.go

@@ -16,11 +16,15 @@ import (
 )
 
 var (
-	to           = flag.String("to", "http://127.0.0.1:80", "the address and port for which to proxy requests to")
-	fromURL      = flag.String("from", "127.0.0.1:4430", "the tcp address and port this proxy should listen for requests on")
-	certFile     = flag.String("cert", "", "path to a tls certificate file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/")
-	keyFile      = flag.String("key", "", "path to a private key file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/")
-	domain       = flag.String("domain", "", "domain to mint letsencrypt certificates for. Usage of this parameter implies acceptance of the LetsEncrypt terms of service.")
+	to       = flag.String("to", "http://127.0.0.1:80", "the address and port for which to proxy requests to")
+	fromURL  = flag.String("from", "127.0.0.1:4430", "the tcp address and port this proxy should listen for requests on")
+	certFile = flag.String("cert", "", "path to a tls certificate file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/")
+	keyFile  = flag.String("key", "", "path to a private key file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/")
+	domain   = flag.String("domain", "", "domain to mint letsencrypt certificates for. Usage of this parameter implies acceptance of the LetsEncrypt terms of service.")
+	cn       = flag.String("cn", "", "Common name of generated certificate")
+	dns      = flag.String("dns", "", "DNS name for SAN attribute")
+	ip       = flag.String("ip", "", "IP address for SAN attribute")
+
 	redirectHTTP = flag.Bool("redirectHTTP", false, "if true, redirects http requests from port 80 to https at your fromURL")
 )
 
@@ -47,7 +51,7 @@ func main() {
 		log.Printf("No existing cert or key specified, generating some self-signed certs for use (%s, %s)\n", *certFile, *keyFile)
 
 		// Generate new keys
-		certBuf, keyBuf, fingerprint, err := gen.Keys(365 * 24 * time.Hour)
+		certBuf, keyBuf, fingerprint, err := gen.Keys(365*24*time.Hour, *cn, *dns, *ip)
 		if err != nil {
 			log.Fatal("Error generating default keys", err)
 		}