[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL subjectAltName woes

Sorry about the incorrect subject line in the original message.
"Subject: RE: ldap backend + ldapi (fwd)"

<original message>

Hmmmm, I must still be missing something, I added what you suggested
into my openssl.cnf file and 
Generated a new server certificate and key but when I run:

# ldapsearch -x -d -1 -H  ldap://ldap.mycompany.com -D
'uid=me,ou=people,dc=mycompany,dc=com' -b
'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ

(ldap.mycompany.com is a CNAME to myhost.mycompany.com)

I get:

TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap.mycompany.com) does not match common name in
certificate (myhost.mycompany.com). ldap_perror
ldap_start_tls: Connect error

When I use the CN that I entered (myhost.mycompany.com) when I created
the certificate request using:
	# openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS session is sucessful.

Here are snippets from my openssl.cnf
---- cut here ----
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr req_extensions = v3_req
---- cut here ----
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
---- cut here ----

Examining at the server certificate with:
 openssl x509 -noout -text -in corpserv-03-certificate.pem
It appears that the subjectAltName is not being put in the certificate:

Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc.,
OU=Information Technologies,
 X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
                DirName:/C=US/ST=California/L=San Francisco/O=My
Company, Inc./OU=Information

( I don't know what the subjectAltName is supposed to look like in the
  so I could be wrong about this )

Do I need to re-generate the CA after I add these entrys to openssl.cnf?
Any suggestions on how to proceed with troubleshooting?

Thank you for all your help.

Jeff Saxton