[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with multiple DNS names in cert. [SOLVED]

To: "Howard Chu" <hyc@highlandsun.com>
Subject: Re: Problems with multiple DNS names in cert. [SOLVED]
From: Mathias Meisfjordskar <mathias.meisfjordskar@usit.uio.no>
Date: 28 Mar 2003 15:11:41 +0100
Cc: "'Tony Earnshaw'" <tonni@billy.demon.nl>, <openldap-software@OpenLDAP.org>
In-reply-to: <y6wptoblstd.fsf@dumbo.uio.no>
Organization: USIT - UiO
References: <001b01c2f47f$666a4660$0e01a8c0@CELLO> <y6wptoblstd.fsf@dumbo.uio.no>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2

Greetings all.

With help from Howard Chu, I figured out the problem. Everything was
as it should be, so the only thing I hadn't tried was a differend
version of openssl(I was using 0.9.8-dev).

Now I have compiled my own version(0.9.7a with patches) and everything
looks to be in order.

Many thanks to Howard for helping me.


A lot of people has e-mailed me, asking for help with DNSaliases in
their cert-files, so here it goes:


<Begin>

Multiple servernames in a certificate mini-HOWTO:

1. 
 Follow http://www.openldap.org/faq/data/cache/185.html to make a
 CA(if you need to).

2.
 Edit your openssl.cnf(the one matching you openssl-executable[*]), and
 put either
    subjectAltName=DNS:ldap1.foo.bar,DNS:ldap2.foo.bar
 or
    subjectAltName=@alt_section
    [alt_section]
    DNS.1=ldap1.foo.bar
    DNS.2=ldap2.foo.bar
 in the file.
 If you want only one alias, use something like
    subjectAltName=DNS:ldap1.foo.bar
 in openssl.cnf.

3.
 Continue the guide(http://www.openldap.org/faq/data/cache/185.html)
 where it says "Next, create a cert request.."
    openssl req -new -nodes -keyout newreq.pem -out newreq.pem
 ...and so on.

4. 
 Remember that in your ldap.conf(matching your ldapsearch[*]), there
 must be a
    TLS_CACERT /path/to/your/cacert.pem
 
5.
 Run
   ldapsearch -x -H ldap://my.alias.foo.bar -ZZ -s base
 and watch with joy. Test with all names in the cert. This should now
 work. 

6.
 If any problems; Use the Evil Eye(tm) on openssl. I've used two days
 trying to figure this out, only to find out that it was right under
 my nose the whole time.


[*] When you compile open{ssl|ldap} it is always installed with a
    prefix. In most cases(or when not specified) /usr/local is the
    default prefix. If your open{ssl|ldap} is bundled with your OS,
    defualt prefix for config-files usually is /etc. When compiling
    yourself, defualt is /usr/local/etc . /usr/local/bin/ldapsearch
    will then(most likely) check /usr/local/etc/ldap.conf(or
    /usr/local/etc/openldap/ldap.conf), so your changes have to go in
    there. You often have multiple versions of config-files on your
    system.


<End>


-- 
Mathias Meisfjordskar
GNU/Linux addict.

"If it works; HIT IT AGAIN!"

Follow-Ups:
- Re: Problems with multiple DNS names in cert. [SOLVED]
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- RE: Problems with multiple DNS names in cert.
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: Problems with multiple DNS names in cert.
  - From: Mathias Meisfjordskar <mathias.meisfjordskar@usit.uio.no>

Prev by Date: RE: groupOfURLs objectClass
Next by Date: Problem with netscape
Index(es):
- Chronological
- Thread