[PR #166] [MERGED] Add support for certificates with client and server auth and URL SANs #405

New issue

Closed

opened 2026-02-25 22:33:24 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 22:33:24 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/FiloSottile/mkcert/pull/166
Author: @robertpanzer
Created: 5/28/2019
Status: ✅ Merged
Merged: 7/5/2019
Merged by: @FiloSottile

Base: master ← Head: mesh-certs

📝 Commits (6)

e63fb5b Support URIs as alternate subject names
c77f211 Add extended key usage server auth to client certs to facilitate Service Mesh mTLS setups.
d72ac57 Implement review comments, require spiffe URI scheme
5dd95e1 Request URIs to have scheme and host
0000c25 Fix error message for incorrect URLs
fbb34f6 Fix error message for incorrect URLs

📊 Changes

2 files changed (+10 additions, -3 deletions)

View changed files

📝 cert.go (+4 -1)
📝 main.go (+6 -2)

📄 Description

Thank you for this awesome tool! :-)

I wanted to use it to create certificates for a Service Mesh, that is for using Istio with mTLS without using Citadel.
Therefore I needed to create certificates that have an extended key usage of client and server auth.
I also needed to have Spiffe URIs in the Subject Alternate Names.

Therefore I did the following changes:

Add a new flag -server which is enabled by default. If set to false and setting -client=true a client-only certificate would be generated, with -client=true and -server=true (the default) a client and server certificate would be created.
Check the hostnames for being a URI with a non-empty scheme. In that case the name is accepted and added as a URI SAN.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/FiloSottile/mkcert/pull/166 **Author:** [@robertpanzer](https://github.com/robertpanzer) **Created:** 5/28/2019 **Status:** ✅ Merged **Merged:** 7/5/2019 **Merged by:** [@FiloSottile](https://github.com/FiloSottile) **Base:** `master` ← **Head:** `mesh-certs` --- ### 📝 Commits (6) - [`e63fb5b`](https://github.com/FiloSottile/mkcert/commit/e63fb5b004ca05d2c4b0f41c58f7fe9903228044) Support URIs as alternate subject names - [`c77f211`](https://github.com/FiloSottile/mkcert/commit/c77f211e8fb9e3e535aab9af681ed6db094c0757) Add extended key usage server auth to client certs to facilitate Service Mesh mTLS setups. - [`d72ac57`](https://github.com/FiloSottile/mkcert/commit/d72ac5700bb19723df6abb18ef01269b9b95a2c7) Implement review comments, require spiffe URI scheme - [`5dd95e1`](https://github.com/FiloSottile/mkcert/commit/5dd95e1f5baf4d3afdf35c2418a286193ed6a220) Request URIs to have scheme and host - [`0000c25`](https://github.com/FiloSottile/mkcert/commit/0000c25c116c9e069311ecd649440cbe919883f9) Fix error message for incorrect URLs - [`fbb34f6`](https://github.com/FiloSottile/mkcert/commit/fbb34f6bf7be5785129aa4134736929f4dd955de) Fix error message for incorrect URLs ### 📊 Changes **2 files changed** (+10 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `cert.go` (+4 -1) 📝 `main.go` (+6 -2) </details> ### 📄 Description Thank you for this awesome tool! :-) I wanted to use it to create certificates for a Service Mesh, that is for using Istio with mTLS without using Citadel. Therefore I needed to create certificates that have an extended key usage of client and server auth. I also needed to have Spiffe URIs in the Subject Alternate Names. Therefore I did the following changes: 1. Add a new flag `-server` which is enabled by default. If set to `false` and setting `-client=true` a client-only certificate would be generated, with `-client=true` and `-server=true` (the default) a client and server certificate would be created. 2. Check the hostnames for being a URI with a non-empty scheme. In that case the name is accepted and added as a URI SAN. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>