[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

On Mon, Jul 23, 2007 at 01:51:19PM +0000, Emmanuel Dreyfus wrote:
> In order to have this working, we need x509 certificate that have
> the subjectAltName extension. This is not an OpenLDAP-specific problem,
> but the information about how to do it seems difficult to find, hence,
> here is the result of my experiments.
> 1) Creating a CSR
> On the LDAP servers, we need to setup OpenSSL for generating the certificate
> request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf:
> req_extensions = v3_req
> The, we need a [ v3_req ] section:
> [ v3_req ]
> basicConstraints = CA:FALSE  
> subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net"

I actually found that I could use the following:
[ dev_ldap ]

I then used 'srv1.example.net' as the CN for the certificate. The
OpenSSL libraries were quite happy with this; I can refer to the host as
ldap.example.com or srv1.example.com and certificate verification will

Then, to sign, I use `openssl ca -extensions dev_ldap -in srv1.csr \
-out srv1.crt'.

This allowed me to use the 'dev_ldap' extension set only for my
development config while issuing all other certificates fell back to the
'v3_req' default configuration. It also seems cleaner to me to only
specify the actual alternate name in the AltName field.

> It seems the subjectAltName has to be set in the config file. I found no
> way to have it prompted by the openssl command.

This was my experience too.

Chris Cowart
Lead Systems Administrator
Network & Infrastructure Services, RSSP-IT
UC Berkeley

Attachment: signature.asc
Description: Digital signature