[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Alternate names in certificates
On Thu, 10 Jul 2003, Dave Horsfall wrote:
> > subjectAltName=DNS:ldap.example.com,DNS:ldap.au.example.com,DNS:server.example.com
>
> A thousand blessings, Quanah; that is exactly what I was after!
And following some experiments, if you have a boat-load of servers and
don't feel like editing openssl.cnf each time (or keeping multiple
copies), the following works:
openssl.cnf (say just before v3_req):
[ local_host1 ]
subjectAltName=DNS:host1.example.com,DNS:host1
[ local_host2 ]
subjectAltName=DNS:host2.example.com,DNS:ldap.example.com,DNS:ldap.au.example.com
Then hack the CA script (or write yer own) to say:
-extensions $local
and pass say "local_host2" as $local.
What will *not* work, apparently, is having the extension in the client
configuration file; the CA has to be told to insert it, and this is where
the messiness starts.
There's probably better ways, but this one works (for me, anyway).
--
Dave Horsfall DTM VK2KFU daveh@ci.com.au Ph: +61 2 9906-7866 Fx: 9906-1556
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia