[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and wildcard SSL certs

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP and wildcard SSL certs
From: Mike Wisener <mwisener@lurhq.com>
Date: Thu, 14 Apr 2005 11:33:16 -0400
Content-disposition: inline
In-reply-to: <20050414143213.GT754@bethel.edu>
Organization: LURHQ
References: <20050414143213.GT754@bethel.edu>
User-agent: KMail/1.6.2

On Thursday 14 April 2005 10:32, Brent J. Nordquist wrote:
> I have been unable to find a way to get wildcard SSL certs to work
> with OpenLDAP 2.1.32 and OpenSSL 0.9.6b (plus security patches). I have
> created my own CA, and used it to sign a cert. with cn=ldap.example.com
> and that works fine. (The proper TLS_CACERT setting is in ldap.conf for
> ldapsearch etc.)
>
> If I do the same to sign a cert. with with cn=*.example.com it works fine
> for everything I've tested (Apache, Sendmail, etc.), but not OpenLDAP.
> This page:
>
> http://www.openldap.org/lists/openldap-bugs/200311/msg00034.html
>
> says that you need to use subjectAltName instead of CN. So I added the
> appropriate lines to openssl.cnf and created a cert. with cn=*.example.com
> plus subjectAltName=DNS:*.example.com, and OpenLDAP fails that with:

I'm using the subjectAltName successfully though I am not using the wildcards. 
I'm using DNS:<hostname>, IP:<ip address>

Did you verify the subjectAltName was actually added on your signed 
certificate? openssl x509 -in <cert> -text

As far as I know, CN should be the fully qualified domain name. subjectAltName 
should have the wildcard.

Good Luck,

Regards,

- Mike

-- 
Mike Wisener, GCIA
Senior Information Security Analyst
LURHQ -- http://www.lurhq.com
mwisener@lurhq.com

Follow-Ups:
- Re: OpenLDAP and wildcard SSL certs
  - From: "Brent J. Nordquist" <b-nordquist@bethel.edu>

References:
- OpenLDAP and wildcard SSL certs
  - From: "Brent J. Nordquist" <b-nordquist@bethel.edu>

Prev by Date: OpenLDAP and wildcard SSL certs
Next by Date: Re: filter problem
Index(es):
- Chronological
- Thread