[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL subjectAltName woes



Can you give an example?

I added  <code>
[ usr_cert ]
.....
subjectAltName=DNS:ldap.mycompany.com,DNS:*.mycompany.com
</code>

but when I examine the certificate using 

 openssl x509 -noout -text -in newcert.pem

I don't see anything about subjectAltName

  openssl x509 -noout -text -in newcert.pem | grep -i subject

        Subject: C=US, ST=California, L=San Francisco, O=My Company,
Inc., OU=IT, CN=myhost.addamark.com/emailAddress=me@mycompany.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier:
[root@rlx-11 misc]#

Meby I'm confused :-|

Is there something else I have to specify when I create the request?

Thanks for all your help guys, my deployment is stuck on this one issue.

Jeff 

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Wednesday, August 11, 2004 3:00 PM
To: Jeff Saxton
Cc: openldap-software@OpenLDAP.org; 'Donn Cave'
Subject: Re: SSL subjectAltName woes


Jeff Saxton wrote:

> Sorry about the incorrect subject line in the original message.
> "Subject: RE: ldap backend + ldapi (fwd)"
> 
> <original message>
> 
> Hmmmm, I must still be missing something, I added what you suggested 
> into my openssl.cnf file and

The previous post is wrong; due to a (longstanding) bug in OpenSSL, 
extensions that you specify in the cert request are never copied over 
into the resulting cert. You must therefore specify the subjectAltName 
extension in the usr_cert section of the openssl.cnf file.

> Generated a new server certificate and key but when I run:
> 
> # ldapsearch -x -d -1 -H  ldap://ldap.mycompany.com -D 
> 'uid=me,ou=people,dc=mycompany,dc=com' -b 
> 'ou=people,dc=mycompany,dc=com' '(uid=me)' -W -ZZ
> 
> (ldap.mycompany.com is a CNAME to myhost.mycompany.com)
> 
> I get:
> 
> TLS trace: SSL_connect:SSLv3 read finished A
> TLS: hostname (ldap.mycompany.com) does not match common name in 
> certificate (myhost.mycompany.com). ldap_perror
> ldap_start_tls: Connect error
> 
> When I use the CN that I entered (myhost.mycompany.com) when I created

> the certificate request using:
> 	# openssl req -new -nodes -keyout newreq.pem -out newreq.pem The
TLS 
> session is sucessful.
> 
> Here are snippets from my openssl.cnf
> ---- cut here ----
> [ req ]
> default_bits            = 1024
> default_keyfile         = privkey.pem
> distinguished_name      = req_distinguished_name
> attributes              = req_attributes
> x509_extensions = v3_ca # The extentions to add to the self signed 
> cert string_mask = nombstr req_extensions = v3_req
> ---- cut here ----
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
> subjecAltName=DNS:ldap.addamark.com,DNS:*.addamark.com
> ---- cut here ----
> 
> Examining at the server certificate with:
>  openssl x509 -noout -text -in corpserv-03-certificate.pem
> It appears that the subjectAltName is not being put in the 
> certificate:
> 
> Subject: C=US, ST=California, L=San Francisco, O=My Company, Inc., 
> OU=Information Technologies, 
> CN=myhost.mycompany.com/Email=me@mycompany.com
> .....
>  X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             Netscape Comment:
>                 OpenSSL Generated Certificate
>             X509v3 Subject Key Identifier:
>  
> 07:67:F8:C6:EE:3C:C3:81:16:C5:92:D9:3A:15:43:4F:D8:04:F6:AE
>             X509v3 Authority Key Identifier:
>  
> keyid:9F:FD:3F:26:20:45:FB:79:68:44:43:94:40:DF:13:95:01:66:B0:E2
>                 DirName:/C=US/ST=California/L=San Francisco/O=My 
> Company, Inc./OU=Information 
> Technology/CN=myca.mycompany.com/Email=me@mycompany.com
>                 serial:00
> 
> ( I don't know what the subjectAltName is supposed to look like in the

> certificate
>   so I could be wrong about this )
> 
> Do I need to re-generate the CA after I add these entrys to 
> openssl.cnf? Any suggestions on how to proceed with troubleshooting?
> 
> Thank you for all your help.
> 
> Jeff Saxton
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support