[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSL subjectAltName woes
Sorry about the incorrect subject line in the original message.
"Subject: RE: ldap backend + ldapi (fwd)"
<original message>
Hmmmm, I must still be missing something, I added what you suggested
into my openssl.cnf file and
Generated a new server certificate and key but when I run:
# ldapsearch -x -d -1 -H ldap://ldap.mycompany.com -D
'uid=me,ou=people,dc=mycompany,dc=com' -b
'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ
(ldap.mycompany.com is a CNAME to myhost.mycompany.com)
I get:
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap.mycompany.com) does not match common name in
certificate (myhost.mycompany.com). ldap_perror
ldap_start_tls: Connect error
When I use the CN that I entered (myhost.mycompany.com) when I created
the certificate request using:
# openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS session is sucessful.
Here are snippets from my openssl.cnf
---- cut here ----
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr req_extensions = v3_req
---- cut here ----
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjecAltName=DNS:ldap.addamark.com,DNS:*.addamark.com
---- cut here ----
Examining at the server certificate with:
openssl x509 -noout -text -in corpserv-03-certificate.pem
It appears that the subjectAltName is not being put in the certificate:
Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc.,
OU=Information Technologies,
CN=myhost.mycompany.com/Email=me@mycompany.com
.....
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
07:67:F8:C6:EE:3C:C3:81:16:C5:92:D9:3A:15:43:4F:D8:04:F6:AE
X509v3 Authority Key Identifier:
keyid:9F:FD:3F:26:20:45:FB:79:68:44:43:94:40:DF:13:95:01:66:B0:E2
DirName:/C=US/ST=California/L=San Francisco/O=My
Company, Inc./OU=Information
Technology/CN=myca.mycompany.com/Email=me@mycompany.com
serial:00
( I don't know what the subjectAltName is supposed to look like in the
certificate
so I could be wrong about this )
Do I need to re-generate the CA after I add these entrys to openssl.cnf?
Any suggestions on how to proceed with troubleshooting?
Thank you for all your help.
Jeff Saxton