[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternate names in certificates

On Thu, 10 Jul 2003, Dave Horsfall wrote:

> > subjectAltName=DNS:ldap.example.com,DNS:ldap.au.example.com,DNS:server.example.com
> A thousand blessings, Quanah; that is exactly what I was after!

And following some experiments, if you have a boat-load of servers and
don't feel like editing openssl.cnf each time (or keeping multiple
copies), the following works:

openssl.cnf (say just before v3_req):

  [ local_host1 ]

  [ local_host2 ]

Then hack the CA script (or write yer own) to say:

  -extensions $local

and pass say "local_host2" as $local.

What will *not* work, apparently, is having the extension in the client
configuration file; the CA has to be told to insert it, and this is where
the messiness starts.

There's probably better ways, but this one works (for me, anyway).

Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9906-7866  Fx: 9906-1556
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia