Well, with the various SSL certificates I create with our in-house CA, I create them all on one machine and then copy the certificates over to the machines that will actually use them. No problem at all. So I'd guess that nothing about the machine you're creating the request on is put into the certificate...
On Tue, 2005-01-04 at 16:22, Stewart Dean wrote: > When you do this using either the req or gen rsa command, does the > generated output have *anything* in it that acts as a fingerprint of the > machine where the command was invoked? > That is, as part of running these commands, does the output end up withe > some section that ties it to that very machine and no other? > > I am bringing up secure IMAP using openssl on our imap mail server. I > currently have it working just fine using a self-signed certificate. > Now I want to get a Class 1 Digital Certificate from Verisign and so > have to submit a certificate request.... > I'm pretty clear on what I have to do, but I have a problem. > > The mail server in question has a hostname (mercury.bard.edu). It also > has 3 NICs that answer to 6 numeric addresses...three of them primary > addresses and the other three secondary 'network aliases' (as defined, I > think, by Sun, IBM and Red Hat, a network alias is a numeric address > that is recognized and responded to BY THE NIC HARDWARE...as such, it is > externally indistinguishable from the primary address...the machine > responds the same to either, and it's only internally that you can find > out which is which). ALL six of the corresponding symbolic host names > have A records (NOT CNAME) in DNS and resolve forward and back uniquely. > > Now if this were a machine with one hostname and one numeric address, I > would have no question about how to generate keys and certificate > requests...I would just do it. > > But. > > This machine has 6 numeric IP addresses it answers, one internal > hostname (mercury) and 5 more hostnames in DNS: mercury2, mercmailport, > smtp, imap & mail > > When I run the openssl req/genrsa command, am I going to get some > fingerprint of the machine embedded that won't match the DNS symbolic > name I want to use (imap.bard.edu) and put in the CN? Which I would > think would make the certificate usage fail because the host name it got > for that fingerprint might be mercury or anyone of the other 4? > > Or does the generation process take no fingerprint and could be run on > any machine that answers to the numeric IP address corresponding to the > CN specified and entered when the command was run? > > My head hurts. > > I wouldn't make such a big deal out of this, except that the certificate > isn't cheap, and Verisign gives you 3 days of support to get things up, > then you're on your own. And my attempt to ask this question of the > pre-purchase email tech support returned a 'dartboard' answer....it had > absolutely nothing to do with my question......must have been picked out > by throwing a dart at a list of canned answers........ > > Thanks in advance for your help -- ----------------------------------------------------------------- Aaron Smith vox: 269.226.9550 ext.26 http://www.nexcerpt.com fax: 269.349.9076 ...Nexcerpt... Extend Your Expertise
signature.asc
Description: This is a digitally signed message part
