1 files changed, 32 insertions, 22 deletions

diff --git a/test/mitmproxy/net/data/verificationcerts/generate.py b/test/mitmproxy/net/data/verificationcerts/generate.py
index 8439c9e6..1e09138d 100644
--- a/test/mitmproxy/net/data/verificationcerts/generate.py
+++ b/test/mitmproxy/net/data/verificationcerts/generate.py
@@ -5,10 +5,10 @@ import subprocess
 import shlex
 import os
 import shutil
-
+import textwrap
 
 ROOT_CA = "trusted-root"
-SUBJECT = "/CN=example.mitmproxy.org/"
+SUBJECT = "example.mitmproxy.org"
 
 
 def do(args):
@@ -18,29 +18,39 @@ def do(args):
     return output
 
 
-def genrsa(cert):
-    do("openssl genrsa -out {cert}.key 2048".format(cert=cert))
+def genrsa(cert: str):
+    do(f"openssl genrsa -out {cert}.key 2048")
 
 
-def sign(cert):
-    do("openssl x509 -req -in {cert}.csr "
-       "-CA {root_ca}.crt "
-       "-CAkey {root_ca}.key "
-       "-CAcreateserial "
-       "-days 7300 "
-       "-out {cert}.crt".format(root_ca=ROOT_CA, cert=cert)
+def sign(cert: str, subject: str):
+    with open(f"openssl-{cert}.conf", "w") as f:
+        f.write(textwrap.dedent(f"""
+        authorityKeyIdentifier=keyid,issuer
+        basicConstraints=CA:FALSE
+        keyUsage = digitalSignature, keyEncipherment
+        subjectAltName = {subject}
+        """))
+    do(f"openssl x509 -req -in {cert}.csr "
+       f"-CA {ROOT_CA}.crt "
+       f"-CAkey {ROOT_CA}.key "
+       f"-CAcreateserial "
+       f"-days 7300 "
+       f"-sha256 "
+       f"-extfile \"openssl-{cert}.conf\" "
+       f"-out {cert}.crt"
        )
+    os.remove(f"openssl-{cert}.conf")
 
 
-def mkcert(cert, args):
+def mkcert(cert, subject):
     genrsa(cert)
-    do("openssl req -new -nodes -batch "
-       "-key {cert}.key "
-       "{args} "
-       "-out {cert}.csr".format(cert=cert, args=args)
+    do(f"openssl req -new -nodes -batch "
+       f"-key {cert}.key "
+       f"-addext \"subjectAltName = {subject}\" "
+       f"-out {cert}.csr"
        )
-    sign(cert)
-    os.remove("{cert}.csr".format(cert=cert))
+    sign(cert, subject)
+    os.remove(f"{cert}.csr")
 
 
 # create trusted root CA
@@ -54,13 +64,13 @@ h = do("openssl x509 -hash -noout -in trusted-root.crt").decode("ascii").strip()
 shutil.copyfile("trusted-root.crt", "{}.0".format(h))
 
 # create trusted leaf cert.
-mkcert("trusted-leaf", "-subj {}".format(SUBJECT))
+mkcert("trusted-leaf", f'DNS:{SUBJECT}')
 
 # create self-signed cert
 genrsa("self-signed")
 do("openssl req -x509 -new -nodes -batch "
    "-key self-signed.key "
-   "-subj {} "
+   f'-addext "subjectAltName = DNS:{SUBJECT}" '
    "-days 7300 "
-   "-out self-signed.crt".format(SUBJECT)
-   )
+   "-out self-signed.crt"
+   )
\ No newline at end of file