[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SSL subjectAltName woes
Can you give an example?
I added <code>
[ usr_cert ]
.....
subjectAltName=DNS:ldap.mycompany.com,DNS:*.mycompany.com
</code>
but when I examine the certificate using
openssl x509 -noout -text -in newcert.pem
I don't see anything about subjectAltName
openssl x509 -noout -text -in newcert.pem | grep -i subject
Subject: C=US, ST=California, L=San Francisco, O=My Company,
Inc., OU=IT, CN=myhost.addamark.com/emailAddress=me@mycompany.com
Subject Public Key Info:
X509v3 Subject Key Identifier:
[root@rlx-11 misc]#
Meby I'm confused :-|
Is there something else I have to specify when I create the request?
Thanks for all your help guys, my deployment is stuck on this one issue.
Jeff
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Wednesday, August 11, 2004 3:00 PM
To: Jeff Saxton
Cc: openldap-software@OpenLDAP.org; 'Donn Cave'
Subject: Re: SSL subjectAltName woes
Jeff Saxton wrote:
> Sorry about the incorrect subject line in the original message.
> "Subject: RE: ldap backend + ldapi (fwd)"
>
> <original message>
>
> Hmmmm, I must still be missing something, I added what you suggested
> into my openssl.cnf file and
The previous post is wrong; due to a (longstanding) bug in OpenSSL,
extensions that you specify in the cert request are never copied over
into the resulting cert. You must therefore specify the subjectAltName
extension in the usr_cert section of the openssl.cnf file.
> Generated a new server certificate and key but when I run:
>
> # ldapsearch -x -d -1 -H ldap://ldap.mycompany.com -D
> 'uid=me,ou=people,dc=mycompany,dc=com' -b
> 'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ
>
> (ldap.mycompany.com is a CNAME to myhost.mycompany.com)
>
> I get:
>
> TLS trace: SSL_connect:SSLv3 read finished A
> TLS: hostname (ldap.mycompany.com) does not match common name in
> certificate (myhost.mycompany.com). ldap_perror
> ldap_start_tls: Connect error
>
> When I use the CN that I entered (myhost.mycompany.com) when I created
> the certificate request using:
> # openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS
> session is sucessful.
>
> Here are snippets from my openssl.cnf
> ---- cut here ----
> [ req ]
> default_bits = 1024
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> x509_extensions = v3_ca # The extentions to add to the self signed
> cert string_mask = nombstr req_extensions = v3_req
> ---- cut here ----
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> subjecAltName=DNS:ldap.addamark.com,DNS:*.addamark.com
> ---- cut here ----
>
> Examining at the server certificate with:
> openssl x509 -noout -text -in corpserv-03-certificate.pem
> It appears that the subjectAltName is not being put in the
> certificate:
>
> Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc.,
> OU=Information Technologies,
> CN=myhost.mycompany.com/Email=me@mycompany.com
> .....
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
>
> 07:67:F8:C6:EE:3C:C3:81:16:C5:92:D9:3A:15:43:4F:D8:04:F6:AE
> X509v3 Authority Key Identifier:
>
> keyid:9F:FD:3F:26:20:45:FB:79:68:44:43:94:40:DF:13:95:01:66:B0:E2
> DirName:/C=US/ST=California/L=San Francisco/O=My
> Company, Inc./OU=Information
> Technology/CN=myca.mycompany.com/Email=me@mycompany.com
> serial:00
>
> ( I don't know what the subjectAltName is supposed to look like in the
> certificate
> so I could be wrong about this )
>
> Do I need to re-generate the CA after I add these entrys to
> openssl.cnf? Any suggestions on how to proceed with troubleshooting?
>
> Thank you for all your help.
>
> Jeff Saxton
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support