Re: Alternate names in certificates

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, July 10, 2003 4:02 PM +1000 Dave Horsfall <daveh@ci.com.au> 
wrote:

> Now that I've got 2.1.22 more or less working (with my own CA-signed
> certificates), the next obstacle is servers having several names.  For
> example, ldap.example.com/ldap.au.example.com/server.example.com would all
> be the same machine.
>
> I've perused the archives, and found several messages referring to this
> (but in reference to round-robin DNS), but nothing along the lines of
> "this is how you do it".  What I have been able to find implies that a
> single alternate name can be given (and unless I change a lot of things
> over which I have limited control, I need several), but muddling around in
> RFC2830 (section 3.6) reveals that subjectAltName is to be used (if
> present) in preference to the certificate name, thereby defeating the
> purpose of alternate names...
>
> So, how have people done this?  Assume I know nothing about X.509...
>
> PS: The X.509 Style Guide by Peter Gutmann is a hoot!

Dave,

It isn't too difficult.  The basic idea, is that you have to define 
subjectAltName in the correct locations in the openssl.cnf file you are 
using (if you are using OpenSSL to generate the CSR), and then use that 
config file for your CSR with the -config <config file> option.

For me, I put it under [ usr_cert ] and under [ v3_req ]

It should generally look like:

subjectAltName=DNS:ldap.example.com,DNS:ldap.au.example.com,DNS:server.exam
ple.com

etc.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html