tls: allow to add ip addresses as Subject Alternative Names when creating certificates (#5602)

command/tls/cert/create/tls_cert_create.go

@@ -21,19 +21,20 @@ func New(ui cli.Ui) *cmd {
 }
 
 type cmd struct {
-	UI       cli.Ui
+	UI          cli.Ui
-	flags    *flag.FlagSet
+	flags       *flag.FlagSet
-	ca       string
+	ca          string
-	key      string
+	key         string
-	server   bool
+	server      bool
-	client   bool
+	client      bool
-	cli      bool
+	cli         bool
-	dc       string
+	dc          string
-	days     int
+	days        int
-	domain   string
+	domain      string
-	help     string
+	help        string
-	dnsnames flags.AppendSliceValue
+	dnsnames    flags.AppendSliceValue
-	prefix   string
+	ipaddresses flags.AppendSliceValue
+	prefix      string
 }
 
 func (c *cmd) init() {
@@ -47,7 +48,9 @@ func (c *cmd) init() {
 	c.flags.StringVar(&c.dc, "dc", "dc1", "Provide the datacenter. Matters only for -server certificates. Defaults to dc1.")
 	c.flags.StringVar(&c.domain, "domain", "consul", "Provide the domain. Matters only for -server certificates.")
 	c.flags.Var(&c.dnsnames, "additional-dnsname", "Provide an additional dnsname for Subject Alternative Names. "+
-		"127.0.0.1 and localhost are always included. This flag may be provided multiple times.")
+		"localhost is always included. This flag may be provided multiple times.")
+	c.flags.Var(&c.ipaddresses, "additional-ipaddress", "Provide an additional ipaddress for Subject Alternative Names. "+
+		"127.0.0.1 is always included. This flag may be provided multiple times.")
 	c.help = flags.Usage(help, c.flags)
 }
 
@@ -86,16 +89,22 @@ func (c *cmd) Run(args []string) int {
 		}
 	}
 
+	for _, i := range c.ipaddresses {
+		if len(i) > 0 {
+			IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i)))
+		}
+	}
+
 	if c.server {
 		name = fmt.Sprintf("server.%s.%s", c.dc, c.domain)
 		DNSNames = append(DNSNames, []string{name, "localhost"}...)
-		IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
+		IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
 		extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
 		prefix = fmt.Sprintf("%s-server-%s", c.dc, c.domain)
 	} else if c.client {
 		name = fmt.Sprintf("client.%s.%s", c.dc, c.domain)
 		DNSNames = append(DNSNames, []string{name, "localhost"}...)
-		IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
+		IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
 		extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
 		prefix = fmt.Sprintf("%s-client-%s", c.dc, c.domain)
 	} else if c.cli {

website/source/docs/commands/tls/cert.html.md.erb

@@ -51,6 +51,8 @@ Usage: `consul tls cert create [filename-prefix] [options]`
 
 - `-additional-dnsname=<string>` - Provide additional dnsname for Subject Alternative Names.
 
+- `-additional-ipaddress=<string>` - Provide additional ipaddress for Subject Alternative Names.
+
 - `-ca=<string>` - Provide path to the ca
 
 - `-cli` - Generate cli certificate

website/source/docs/guides/creating-certificates.html.md

@@ -281,8 +281,8 @@ respond as expected.
 Using `localhost` and `127.0.0.1` as `Subject Alternative Names` in server
 and client certificates allows tools like `curl` to be able to communicate with
 Consul's HTTPS API when run on the same host. Other SANs may be added during
-server/client certificates creation with `-additional-dnsname` to allow remote
+server/client certificates creation with `-additional-dnsname` or 
-HTTPS requests from other hosts.
+`-additional-ipaddress`to allow remote HTTPS requests from other hosts.
 
 ## Configuring the Consul UI for HTTPS