fix: do not use cert '-subj' to generate cert, use subjectAltName

richm · richm · commit 0b680054a511 · 2026-06-10T09:13:57.000-06:00
Cause: The code was using openssl -subj /CN=$(hostname) to generate the
cert used for the server.  The argument to '-subj' has a maximum length
of 64 characters, but the hostname is longer than that.

Consequence: The role would issue an error attempting to generate the
certificate if the hostname was too long.

Fix: Do not use '-subj'.  Certificate verification uses subjectAltName
and the role was already using this in the generated cert.

Result: The role can generate certificates which are secure without an
error when the hostnames are too long for `-subj`.

Signed-off-by: Rich Megginson &lt;rmeggins@redhat.com&gt;
diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml
@@ -38,7 +38,6 @@
     # Trustee Server SSL
     if [ ! -f {{ __trustee_server_config_dir }}/kbs/server.key ] || [ ! -f {{ __trustee_server_config_dir }}/kbs/server.crt ]; then
       openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ __trustee_server_config_dir }}/kbs/server.key \
-        -subj "/CN=$(hostname -f)/O=Red Hat" \
         -addext "basicConstraints=CA:FALSE" \
         -addext "keyUsage=digitalSignature,keyEncipherment" \
         -addext "extendedKeyUsage=serverAuth" \
