On Mon, Jul 23, 2007 at 01:51:19PM +0000, Emmanuel Dreyfus wrote: > In order to have this working, we need x509 certificate that have > the subjectAltName extension. This is not an OpenLDAP-specific problem, > but the information about how to do it seems difficult to find, hence, > here is the result of my experiments. > > 1) Creating a CSR > On the LDAP servers, we need to setup OpenSSL for generating the certificate > request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf: > req_extensions = v3_req > > The, we need a [ v3_req ] section: > [ v3_req ] > basicConstraints = CA:FALSE > subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net" I actually found that I could use the following: [ dev_ldap ] subjectAltName=DNS:ldap.example.com basicConstraints=CA:FALSE I then used 'srv1.example.net' as the CN for the certificate. The OpenSSL libraries were quite happy with this; I can refer to the host as ldap.example.com or srv1.example.com and certificate verification will succeed. Then, to sign, I use `openssl ca -extensions dev_ldap -in srv1.csr \ -out srv1.crt'. This allowed me to use the 'dev_ldap' extension set only for my development config while issuing all other certificates fell back to the 'v3_req' default configuration. It also seems cleaner to me to only specify the actual alternate name in the AltName field. > It seems the subjectAltName has to be set in the config file. I found no > way to have it prompted by the openssl command. This was my experience too. -- Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley
Attachment:
signature.asc
Description: Digital signature