[Date Prev][Date Next] [Chronological] [Thread] [Top]

Alternate names in certificates

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Alternate names in certificates
From: Dave Horsfall <daveh@ci.com.au>
Date: Thu, 10 Jul 2003 16:02:19 +1000 (EST)
Archive: No

Now that I've got 2.1.22 more or less working (with my own CA-signed
certificates), the next obstacle is servers having several names.  For
example, ldap.example.com/ldap.au.example.com/server.example.com would all
be the same machine.

I've perused the archives, and found several messages referring to this
(but in reference to round-robin DNS), but nothing along the lines of
"this is how you do it".  What I have been able to find implies that a
single alternate name can be given (and unless I change a lot of things
over which I have limited control, I need several), but muddling around in
RFC2830 (section 3.6) reveals that subjectAltName is to be used (if
present) in preference to the certificate name, thereby defeating the
purpose of alternate names...

So, how have people done this?  Assume I know nothing about X.509...

PS: The X.509 Style Guide by Peter Gutmann is a hoot!

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9906-7866  Fx: 9906-1556
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia

Follow-Ups:
- Re: Alternate names in certificates
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- RE: Alternate names in certificates
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: Alternate names in certificates
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: help(Is there any C++ ldap libraries?)
Next by Date: Re: Alternate names in certificates
Index(es):
- Chronological
- Thread