@@ -266,37 +266,38 @@ func (b *keyfactorBackend) pathSign(ctx context.Context, req *logical.Request, d
266266 arg , _ := json .Marshal (req .Data )
267267 b .Logger ().Debug (string (arg ))
268268
269- // validate DNS SANS (required )
269+ // validate DNS SANS (optional )
270270 var dns_sans []string
271271 b .Logger ().Debug ("parsing dns_sans..." )
272272 dns_sans_string , ok := data .GetOk ("dns_sans" )
273273
274- if ! ok || dns_sans_string == nil || dns_sans_string == "" {
275- return nil , fmt .Errorf ("dns_sans must be provided to issue certificate" )
276- }
277- dns_sans_string = dns_sans_string .(string )
278- dns_sans = strings .Split (dns_sans_string .(string ), "," )
279-
280- b .Logger ().Debug (fmt .Sprintf ("dns_sans = %s" , dns_sans ))
274+ if ok && dns_sans_string != nil && dns_sans_string == "" {
275+ dns_sans_string = dns_sans_string .(string )
276+ dns_sans = strings .Split (dns_sans_string .(string ), "," )
277+ b .Logger ().Debug (fmt .Sprintf ("dns_sans = %s" , dns_sans ))
281278
282- b .Logger ().Trace ("checking to make sure all DNS SANs are allowed by role.." )
279+ b .Logger ().Trace ("checking to make sure all DNS SANs are allowed by role.." )
283280
284- // check the provided DNS sans against allowed domains
285- valid , err_resp = checkAllowedDomains (role , roleName , dns_sans )
286- if err_resp != nil && ! valid {
287- b .Logger ().Error (err_resp .Error ())
288- return logical .ErrorResponse ("DNS_SAN(s) not allowed for role: %s" , err_resp .Error ()), err_resp
281+ // check the provided DNS sans against allowed domains
282+ valid , err_resp = checkAllowedDomains (role , roleName , dns_sans )
283+ if err_resp != nil && ! valid {
284+ b .Logger ().Error (err_resp .Error ())
285+ return logical .ErrorResponse ("DNS_SAN(s) not allowed for role: %s" , err_resp .Error ()), err_resp
286+ }
287+ } else {
288+ b .Logger ().Debug ("no DNS SANs provided" )
289289 }
290290
291291 // ip sans (optional)
292292 var ip_sans []string
293-
294293 b .Logger ().Debug ("parsing ip_sans..." )
295294 ip_sans_string , ok := data .GetOk ("ip_sans" )
296295
297296 if ok && ip_sans_string != nil && ip_sans_string .(string ) != "" {
298297 b .Logger ().Trace (fmt .Sprintf ("passed ip_sans: %s" , ip_sans_string .(string )))
299298 ip_sans = strings .Split (ip_sans_string .(string ), "," )
299+ } else {
300+ b .Logger ().Debug ("no IP SANs provided" )
300301 }
301302
302303 // get the CA name
0 commit comments