From a90ecbab5f4bf771b77bdf35262c1603e9c41ecc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Jan 2021 13:29:56 +0100
Subject: [PATCH] system: generate a better self-signed certificate

---
 src/etc/inc/plugins.inc.d/webgui.inc | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/webgui.inc b/src/etc/inc/plugins.inc.d/webgui.inc
index 1be95e445..f1a7ed74e 100644
--- a/src/etc/inc/plugins.inc.d/webgui.inc
+++ b/src/etc/inc/plugins.inc.d/webgui.inc
@@ -144,7 +144,7 @@ function webgui_configure_do($verbose = false, $interface = '')
 
 function webgui_create_selfsigned($verbose = false)
 {
-    global $config;
+    global $config, $g;
 
     $a_ca = &config_read_array('ca');
     $a_cert = &config_read_array('cert');
@@ -160,13 +160,15 @@ function webgui_create_selfsigned($verbose = false)
     $cert['refid'] = uniqid();
     $cert['descr'] = 'Web GUI TLS certificate';
 
-    mwexec(
-        /* XXX ought to be replaced by PHP calls */
+    $dns = $config['system']['hostname'] . "." . $config['system']['domain'];
+
+    mwexecf(
         '/usr/local/bin/openssl req -new -extensions server_cert ' .
         '-config /usr/local/etc/ssl/opnsense.cnf ' .
         '-newkey rsa:4096 -sha256 -days 397 -nodes -x509 ' .
-        '-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' .
-        '-keyout /tmp/ssl.key -out /tmp/ssl.crt'
+        '-subj "/CN="%s"/C=NL/ST=Zuid-Holland/L=Middelharnis/O="%s" self-signed web certificate" ' .
+        '-addext "subjectAltName = DNS:"%s -keyout /tmp/ssl.key -out /tmp/ssl.crt',
+        array($dns, $g['product_name'], $dns)
     );
 
     $crt = file_get_contents('/tmp/ssl.crt');