[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternate names in certificates

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: Alternate names in certificates
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 14 Jul 2003 10:49:05 +0200
Cc: "'Dave Horsfall'" <daveh@ci.com.au>, "'OpenLDAP Software List'" <openldap-software@OpenLDAP.org>
In-reply-to: <016b01c349da$db943fd0$0e01a8c0@CELLO>
References: <016b01c349da$db943fd0$0e01a8c0@CELLO>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425

Howard Chu wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
Dave Horsfall

What will *not* work, apparently, is having the extension in
the client
configuration file; the CA has to be told to insert it, and
this is where
the messiness starts.


This is a known limitation (bug) in OpenSSL 0.9.6. I don't recall if it's
been fixed in 0.9.7 or 0.9.8. (That is, extensions in the cert request are
not propagated into the signed certificate.)

It's rather off-topic here but please note that most CAs won't propagate the extensions from CSR into the certificate. Therefore I'd not consider this a bug in OpenSSL. This limitation is a security feature. I'd like to emphasize that you *should not* automatically propagate the extensions from the CSR to the EE certificate without filtering! CAs are even free to completely change the subject name according to their CP and CPS.

Also with X.509 certificates you have to exactly know what you are doing!

Ciao, Michael.

Follow-Ups:
- Re: Alternate names in certificates
  - From: Dave Horsfall <daveh@ci.com.au>

References:
- RE: Alternate names in certificates
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: Alternate names in certificates
Next by Date: Re: LDAP and SAMBA
Index(es):
- Chronological
- Thread