[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client - Server Authentication Using Certificates

On Monday, May 10, 2004, at 09:43 AM, Laurence wrote:
Please note that I have substituted my actual hostname for host.invalid.

The first problem is with my certificate. Due to the computing policy we have here, the CN in the subject of the certificate is CN=host/host.invalid and hence when I try to do the ldapsearch I obtain the following error message.

TLS: hostname (host.invalid) does not match common name in certificate (host/host.invalid).

The first question would be, is it possible to "tune" this with the ldap configuration or does it make an assumption that the name on the certificate has to be the same as the hostname.

Some clients, including OpenLDAP, will look first at the `Subject Alternative
Name' field, in the certificate. If your site generates its own certificates
and doesn't have any policy on that field, it could be an option.

	Donn Cave, donn@u.washington.edu