ca: Profile tweaks (default, promote CA flag)

This adds the ability to flag a profile to promote the first domain/IP
to the common name. This was previously removed when promotion was
deprecated, but is still allowed in the Let's Encrypt "classic" profile,
so this helps mock this behavior (and also allows it to be mocked in CAs
that still do the same).

Author: vancluever

ca/ca.go

@@ -45,8 +45,9 @@ type chain struct {
 }
 
 type Profile struct {
-	Description    string
-	ValidityPeriod uint64
+	Description       string
+	PromoteCommonName bool
+	ValidityPeriod    uint64
 }
 
 func (c *chain) String() string {
@@ -309,6 +310,22 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 		IsCA:                  false,
 	}
 
+	// Check to see if the profile allows for the promotion of first domain to
+	// the common name. This helps emulate the Let's Encrypt "classic" profile or
+	// other CAs that follow similar behavior.
+	if prof.PromoteCommonName {
+		var cn string
+		switch {
+		case len(domains) > 0:
+			cn = domains[0]
+		case len(ips) > 0:
+			cn = ips[0].String()
+		}
+		if cn != "" {
+			template.Subject.CommonName = cn
+		}
+	}
+
 	if ca.ocspResponderURL != "" {
 		template.OCSPServer = []string{ca.ocspResponderURL}
 	}
@@ -375,7 +392,12 @@ func New(log *log.Logger, db *db.MemoryStore, ocspResponderURL string, alternate
 			prof.ValidityPeriod = defaultValidityPeriod
 		}
 		ca.profiles[name] = &prof
-		ca.log.Printf("Loaded profile %q with certificate validity period of %d seconds", name, prof.ValidityPeriod)
+		ca.log.Printf(
+			"Loaded profile %q with certificate validity period of %d seconds (promote CN=%t)",
+			name,
+			prof.ValidityPeriod,
+			prof.PromoteCommonName,
+		)
 	}
 
 	return ca