[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL subjectAltName woes



Sorry about the incorrect subject line in the original message.
"Subject: RE: ldap backend + ldapi (fwd)"

<original message>

Hmmmm, I must still be missing something, I added what you suggested
into my openssl.cnf file and 
Generated a new server certificate and key but when I run:

# ldapsearch -x -d -1 -H  ldap://ldap.mycompany.com -D
'uid=me,ou=people,dc=mycompany,dc=com' -b
'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ

(ldap.mycompany.com is a CNAME to myhost.mycompany.com)

I get:

TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap.mycompany.com) does not match common name in
certificate (myhost.mycompany.com). ldap_perror
ldap_start_tls: Connect error

When I use the CN that I entered (myhost.mycompany.com) when I created
the certificate request using:
	# openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS session is sucessful.

Here are snippets from my openssl.cnf
---- cut here ----
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr req_extensions = v3_req
---- cut here ----
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjecAltName=DNS:ldap.addamark.com,DNS:*.addamark.com
---- cut here ----

Examining at the server certificate with:
 openssl x509 -noout -text -in corpserv-03-certificate.pem
It appears that the subjectAltName is not being put in the certificate:

Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc.,
OU=Information Technologies,
CN=myhost.mycompany.com/Email=me@mycompany.com
.....
 X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
 
07:67:F8:C6:EE:3C:C3:81:16:C5:92:D9:3A:15:43:4F:D8:04:F6:AE
            X509v3 Authority Key Identifier:
 
keyid:9F:FD:3F:26:20:45:FB:79:68:44:43:94:40:DF:13:95:01:66:B0:E2
                DirName:/C=US/ST=California/L=San Francisco/O=My
Company, Inc./OU=Information
Technology/CN=myca.mycompany.com/Email=me@mycompany.com
                serial:00

( I don't know what the subjectAltName is supposed to look like in the
certificate
  so I could be wrong about this )

Do I need to re-generate the CA after I add these entrys to openssl.cnf?
Any suggestions on how to proceed with troubleshooting?

Thank you for all your help.

Jeff Saxton