Hi,
It seems to me that you are using an Entrust PKI to generate the
certificate? If this is the case ensure that you set the
subjectAltName in SMA with "" surrounding it - if not SMA prepends the
e-mail qualifier...
Venlig hilsen/Kind regards
Niels Frimodt Sørensen
Signaturgruppen A/S
www.signaturgruppen.dk
+45 40207496
Howard Chu skrev:
Seed, Steven wrote:
Sending again, because I'm not sure if the first message got through
since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the
CN=hostname.fqdn. In the same certificate I have created a
SubjectAltName with several DNS aliases. With everything configured
properly in my ldap.conf file, I can make TLS connections to my
ldap server as long as I use the hostname that matches the CN, but
if I change my connection to use one of the aliases in the
SubjectAltName I get:
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer
certificate
An openssl dump of the certificate yields the following in the
SubjectAltName section:
Certificate:
Data:
CN=Proton.fas.fa.disney.com
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com
X509v3 CRL Distribution Points:
DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney
Company Enterprise CA/CN=CRL27
URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl
URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl
Can anyone help me figure out what is going wrong? This is the same
with both version 2.2.13 and 2.3.32 of openldap. Does the
SubjectAltName format look correct?
Your subjectAltName appears to have encoded an email extension with
the string "dns:....." as its value, instead of an actual dns
extension. So basically, your subjectAltName is wrong.