[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL subjectAltName woes

To: <openldap-software@OpenLDAP.org>
Subject: SSL subjectAltName woes
From: "Jeff Saxton" <jsaxton@addamark.com>
Date: Wed, 11 Aug 2004 13:20:15 -0700
Cc: "'Donn Cave'" <donn@u.washington.edu>
Importance: Normal
In-reply-to: <003301c47fe0$1a760300$2601000a@hq.addamark.com>

Sorry about the incorrect subject line in the original message.
"Subject: RE: ldap backend + ldapi (fwd)"

<original message>

Hmmmm, I must still be missing something, I added what you suggested
into my openssl.cnf file and 
Generated a new server certificate and key but when I run:

# ldapsearch -x -d -1 -H  ldap://ldap.mycompany.com -D
'uid=me,ou=people,dc=mycompany,dc=com' -b
'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ

(ldap.mycompany.com is a CNAME to myhost.mycompany.com)

I get:

TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap.mycompany.com) does not match common name in
certificate (myhost.mycompany.com). ldap_perror
ldap_start_tls: Connect error

When I use the CN that I entered (myhost.mycompany.com) when I created
the certificate request using:
	# openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS session is sucessful.

Here are snippets from my openssl.cnf
---- cut here ----
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr req_extensions = v3_req
---- cut here ----
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjecAltName=DNS:ldap.addamark.com,DNS:*.addamark.com
---- cut here ----

Examining at the server certificate with:
 openssl x509 -noout -text -in corpserv-03-certificate.pem
It appears that the subjectAltName is not being put in the certificate:

Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc.,
OU=Information Technologies,
CN=myhost.mycompany.com/Email=me@mycompany.com
.....
 X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
 
07:67:F8:C6:EE:3C:C3:81:16:C5:92:D9:3A:15:43:4F:D8:04:F6:AE
            X509v3 Authority Key Identifier:
 
keyid:9F:FD:3F:26:20:45:FB:79:68:44:43:94:40:DF:13:95:01:66:B0:E2
                DirName:/C=US/ST=California/L=San Francisco/O=My
Company, Inc./OU=Information
Technology/CN=myca.mycompany.com/Email=me@mycompany.com
                serial:00

( I don't know what the subjectAltName is supposed to look like in the
certificate
  so I could be wrong about this )

Do I need to re-generate the CA after I add these entrys to openssl.cnf?
Any suggestions on how to proceed with troubleshooting?

Thank you for all your help.

Jeff Saxton

Follow-Ups:
- Re: SSL subjectAltName woes
  - From: Donn Cave <donn@u.washington.edu>
- Re: SSL subjectAltName woes
  - From: Howard Chu <hyc@symas.com>

References:
- RE: ldap backend + ldapi (fwd)
  - From: "Jeff Saxton" <jsaxton@addamark.com>

Prev by Date: RE: ldap backend + ldapi (fwd)
Next by Date: back-bdb IDL cache (was re: openldap versions and silent exit)
Index(es):
- Chronological
- Thread