[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL subjectAltName woes



Jeff Saxton wrote:

Sorry about the incorrect subject line in the original message.
"Subject: RE: ldap backend + ldapi (fwd)"

<original message>

Hmmmm, I must still be missing something, I added what you suggested
into my openssl.cnf file and

The previous post is wrong; due to a (longstanding) bug in OpenSSL, extensions that you specify in the cert request are never copied over into the resulting cert. You must therefore specify the subjectAltName extension in the usr_cert section of the openssl.cnf file.


Generated a new server certificate and key but when I run:

# ldapsearch -x -d -1 -H  ldap://ldap.mycompany.com -D
'uid=me,ou=people,dc=mycompany,dc=com' -b
'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ

(ldap.mycompany.com is a CNAME to myhost.mycompany.com)

I get:

TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap.mycompany.com) does not match common name in
certificate (myhost.mycompany.com). ldap_perror
ldap_start_tls: Connect error

When I use the CN that I entered (myhost.mycompany.com) when I created
the certificate request using:
	# openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS session is sucessful.

Here are snippets from my openssl.cnf
---- cut here ----
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr req_extensions = v3_req
---- cut here ----
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjecAltName=DNS:ldap.addamark.com,DNS:*.addamark.com
---- cut here ----

Examining at the server certificate with:
 openssl x509 -noout -text -in corpserv-03-certificate.pem
It appears that the subjectAltName is not being put in the certificate:

Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc.,
OU=Information Technologies,
CN=myhost.mycompany.com/Email=me@mycompany.com
.....
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
07:67:F8:C6:EE:3C:C3:81:16:C5:92:D9:3A:15:43:4F:D8:04:F6:AE
X509v3 Authority Key Identifier:
keyid:9F:FD:3F:26:20:45:FB:79:68:44:43:94:40:DF:13:95:01:66:B0:E2
DirName:/C=US/ST=California/L=San Francisco/O=My
Company, Inc./OU=Information
Technology/CN=myca.mycompany.com/Email=me@mycompany.com
serial:00


( I don't know what the subjectAltName is supposed to look like in the
certificate
  so I could be wrong about this )

Do I need to re-generate the CA after I add these entrys to openssl.cnf?
Any suggestions on how to proceed with troubleshooting?

Thank you for all your help.

Jeff Saxton
--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support