[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3158) ldapsearch does not match simple hostnames against fqdns in certificates

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3158) ldapsearch does not match simple hostnames against fqdns in certificates
From: walst005@umn.edu
Date: Tue, 4 Jan 2005 18:30:32 GMT

For future reference via this bug report, it appears that the answer lies in the
FAQomatic entry:

    http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185

    RFC 2830 also specifies a means for additional names to be set in a
    certificate. This is done using the subjectAltName field which is an X.509v3
    extension of the basic certificate. This field can be used to list aliases
    for a server, shared names in a load-balancing setup, or any other desired
    purpose. A wildcard can also be used, to allow a single certificate to match
    all hostnames within a given domain.

    In the openssl.cnf file, the syntax for this extension is

    subjectAltName=DNS:alias1.domain1,DNS:host2.domain2,DNS:*.domain3

    Any number of names may be specified in the comma-separated list. 

Perhaps this could be added to the Administrator's Guide.

-- 
Chad C. Walstrom <walst005@umn.edu>                   247 Gortner Hall
Asst. Director of IT                                Help: 612-625-9284
CBS Computing Services, UMN                        Phone: 612-624-2918

Prev by Date: Re: (ITS#3158) ldapsearch does not match simple hostnames against fqdns in certificates
Next by Date: Re: (ITS#3158) ldapsearch does not match simple hostnames against fqdns in certificates
Index(es):
- Chronological
- Thread