[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternate names in certificates





--On Thursday, July 10, 2003 4:02 PM +1000 Dave Horsfall <daveh@ci.com.au> wrote:

Now that I've got 2.1.22 more or less working (with my own CA-signed
certificates), the next obstacle is servers having several names.  For
example, ldap.example.com/ldap.au.example.com/server.example.com would all
be the same machine.

I've perused the archives, and found several messages referring to this
(but in reference to round-robin DNS), but nothing along the lines of
"this is how you do it".  What I have been able to find implies that a
single alternate name can be given (and unless I change a lot of things
over which I have limited control, I need several), but muddling around in
RFC2830 (section 3.6) reveals that subjectAltName is to be used (if
present) in preference to the certificate name, thereby defeating the
purpose of alternate names...

So, how have people done this?  Assume I know nothing about X.509...

PS: The X.509 Style Guide by Peter Gutmann is a hoot!

Dave,

It isn't too difficult. The basic idea, is that you have to define subjectAltName in the correct locations in the openssl.cnf file you are using (if you are using OpenSSL to generate the CSR), and then use that config file for your CSR with the -config <config file> option.

For me, I put it under [ usr_cert ] and under [ v3_req ]

It should generally look like:

subjectAltName=DNS:ldap.example.com,DNS:ldap.au.example.com,DNS:server.exam
ple.com

etc.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html