[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternate names in certificates

Howard Chu wrote:
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
Dave Horsfall

What will *not* work, apparently, is having the extension in
the client
configuration file; the CA has to be told to insert it, and
this is where
the messiness starts.

This is a known limitation (bug) in OpenSSL 0.9.6. I don't recall if it's been fixed in 0.9.7 or 0.9.8. (That is, extensions in the cert request are not propagated into the signed certificate.)

It's rather off-topic here but please note that most CAs won't propagate the extensions from CSR into the certificate. Therefore I'd not consider this a bug in OpenSSL. This limitation is a security feature. I'd like to emphasize that you *should not* automatically propagate the extensions from the CSR to the EE certificate without filtering! CAs are even free to completely change the subject name according to their CP and CPS.

Also with X.509 certificates you have to exactly know what you are doing!

Ciao, Michael.