src/node/util.ts: Make certificate generation "modern"

Now we add a subject alt name, set extendedKeyUsage and use the
correct certificate extension.

The above allow it to be properly trusted by iOS.

See https://support.apple.com/en-us/HT210176

*.cert isn't a real extension for certificates, *.crt is correct
for it to be recognized by e.g. keychain or when importing as a profile
into iOS.

Author: nhooyr

doc/FAQ.md

@@ -145,7 +145,7 @@ pass in an existing certificate by providing the path to `--cert` and the path t
 the key with `--cert-key`.
 
 The self signed certificate will be generated into
-`~/.local/share/code-server/self-signed.cert`.
+`~/.local/share/code-server/self-signed.crt`.
 
 If `code-server` has been passed a certificate it will also respond to HTTPS
 requests and will redirect all HTTP requests to HTTPS.

src/node/util.ts

@@ -55,7 +55,7 @@ export function humanPath(p?: string): string {
 }
 
 export const generateCertificate = async (): Promise<{ cert: string; certKey: string }> => {
-  const certPath = path.join(paths.data, "self-signed.cert")
+  const certPath = path.join(paths.data, "self-signed.crt")
   const certKeyPath = path.join(paths.data, "self-signed.key")
 
   const checks = await Promise.all([fs.pathExists(certPath), fs.pathExists(certKeyPath)])
@@ -64,7 +64,17 @@ export const generateCertificate = async (): Promise<{ cert: string; certKey: st
     // generate certificates.
     const pem = require("pem") as typeof import("pem")
     const certs = await new Promise<import("pem").CertificateCreationResult>((resolve, reject): void => {
-      pem.createCertificate({ selfSigned: true }, (error, result) => {
+      pem.createCertificate({ selfSigned: true, config: `
+[req]
+req_extensions = v3_req
+
+[ v3_req ]
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+`}, (error, result) => {
         return error ? reject(error) : resolve(result)
       })
     })