Re: Field CN and the certificates

Tue, 15 Mar 2005 21:34:10 -0800

Back to your original problem -- You said you were accessing the web server by using IE, was that client machine in the same private network (as the server)?

Have you tested accessing the web server from another client machine?

Maybe you should start looking from the client-end.

Vu Pham wrote:
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sexton
Sent: Tuesday, March 15, 2005 8:45 PM
To: openssl-users@openssl.org
Subject: RE: Field CN and the certificates


I use openssl to build a self-signed certificate for my web 

server. I imported the CA cert to my PC already.

When I open the web server, IE says the certificate is from a trusted CA as expected, the security certificate is valid, but it says the name is invalid.

You mean like this: https://paypal.com ? 

Yes, I access to https://abc.mydomain.com and CN=abc.mydomain.com

More details : this server hosts two different name abc.mydomain.com and def.mydomain.com, each with different ip ) for https access.

I use <VirtualHost ip-of-abc.mydomain.com:443> and VirtualHost<ip-of-def.mydomain.com:443> and these virtual hosts work because IE points to the correct DocumentRoot for each name.

What is the reverse-dns for the IP address pointed to by abc (and def) mydomain.com ? 


Yes, A and PTR records are set correctly for both domains. I just double
checked by nslookup.



I've seen Apache take an IP address pointed to by more than one domain look up the reverse and use whatever that is. For example is you made a cert for abc, yet def points to the same IP and the reverse says def then def is what it will use; this will not match abc and you'll get this error. 


I see your point. My server is "virtual hosts" by ip addresses. I mean it
has two names with two separate ip addresses. I can test again by setting it
to have only one ip and  one host name . I will post back the result.

Thanks,

Vu

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to