Add Subject Alternative Name to cert install command

[svautour]

I am using gnoic to deploy certs to different vendor boxes for GRPC TLS. It works great for Nokia.

On another vendor's router, the cert install command works. After installation, I can enable GRPC TLS and successfully connect with gnmic using --skip-verify. If I remove --skip-verify and use "--tls-ca cert.pem" to auth the cert, I see this in the debug:

Err: connection error: desc = "transport: authentication handshake failed: x509: certificate relies on legacy Common Name field, use SANs instead"

It looks like this vendor requires a cert with Subject Alternative Name set. Example found on google: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line

user@hostname:~$ openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\n")) -out domain.csr
user@hostname:~$ openssl req -in domain.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=CA, O=Acme, Inc., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:05:50:86:49:98:c8:05:01:e9:50:18:7f:2f:
                    b4:89:09:29:d1:c1:58:d8:14:bb:58:1d:25:50:11:
                    bb:43:d8:28:03:a5:de:59:49:bb:d2:f7:d3:79:5c:
                    c6:99:2c:98:ff:99:23:8c:df:96:7c:ea:4b:62:2a:
                    a4:c2:84:f5:5d:62:7f:7d:c4:7c:e2:c3:db:e6:58:
                    03:c2:26:9d:02:da:bb:84:d9:11:82:fe:38:12:9b:
                    c7:b6:ff:b2:40:30:38:b1:44:d8:47:1d:43:4a:29:
                    58:6b:49:ec:33:d7:dc:a7:1b:90:05:3a:f5:e6:16:
                    98:08:5d:2d:7e:b4:ea:a2:a4:b1:84:89:f7:f1:c4:
                    67:a6:a1:06:70:dd:4e:6b:0c:f8:b5:9b:bc:3f:06:
                    ee:90:d6:86:29:52:d3:af:f6:d4:2f:c6:cf:4b:5a:
                    b8:cd:01:74:6d:5c:25:a8:02:1c:7c:e8:66:3d:46:
                    07:b1:9d:ef:cc:eb:90:b6:bf:7b:33:e0:5f:b2:9b:
                    e8:b4:12:67:2f:8d:0d:9b:54:9d:95:6e:09:83:cb:
                    f3:5b:1f:31:8e:3b:ca:4e:08:e0:40:c0:60:40:72:
                    dd:0d:3e:99:ec:7c:ac:c4:3c:ba:85:9d:d9:d9:6b:
                    02:2e:bf:a8:a3:02:1d:eb:c8:58:e3:04:b3:a5:f1:
                    67:37
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
---snip---

This vendor has a method of generating it's own cert with itself as a CA. When I look at the cert it generates I see the same "X509v3 Subject Alternative Name: " entry:

X509v3 extensions:
          X509v3 Basic Constraints: critical
              CA:TRUE
          X509v3 Subject Key Identifier: 
              9B:D2:46:E3:C1:AA:D0:0A:90:E8:3B:55:2E:DB:8B:30:30:A6:36:F0
          X509v3 Subject Alternative Name: 
              DNS:aaa.bbb.com

The one that GNOIC creates does not have this "Subject Alternative Name" and I don't see a way to add it.

Could you add this feature?

Thanks and great tool!!
Serge

[karimra]

The gNOI spec did not account for adding SANs to the CSR(Certificate Signing Request) [comment](https://github.com/openconfig/gnoi/blob/main/cert/cert.proto#L252

Since then the certificate life cycle management moved on to gNSI

What can be done here is to use gNOIc to generate the CSR locally with the flag --gen-csr i.e case2.
I can improve gNOIc to allow SANs in a CSR if case2 flow is used.