Thanx for all the info, after a lot of trying I have created a working certificate. For now I have just a few question left, is it possible (without (shell)scripts) to (and how to do so): 1) include a .conf file with the subjectAltName extension configured for a certain certificate. 2) include the subjectAltName in a CSR to sign by a CA (which for now is a self-signed CA, but might be a real CA someday). 3) enter the subjectAltName the same way you enter a commonName
Ciao, Mark > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:owner-openssl- > [EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell > Sent: zondag 6 november 2005 1:52 > To: openssl-users@openssl.org > Subject: Re: Multiple domains in one certificate > > [EMAIL PROTECTED] wrote: > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:owner-openssl- > >> > >> Yep. But CA's typically put them in both anyway. > >> > >> On the other hand, if every site appears within the same domain (e.g. > >> foo.domain.com, bar.domain.com, baz.domain.com), it might be better > >> to get a domain cert that contains "*.domain.com". > > > Both domains are different since my internal net is managed by me alone > (and > > it is neither permissible nor possible to run your own dns for the > domain > > names assigned by the provider)... > > I had the same problem here: > My server has an different name if connected from the inside > than connected from the outside (but this is goog for testing...) > > As long as you issue your own certificates it is trivial... > > >> On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote: > >> > >>> Joseph Oreste Bruni wrote: > >>>> You can have as many commonNames as you want. That goes for > >>>> subjectAltName fields too. I do that on an apache server (not > >>>> using TLS) that needs to host more than one SSL site. Every > >>>> browser I've used is okay with certs. that have multiple CN's. > >>> But he should use the subjectAltName extension. > >>> Using the CN is deprecated. > > > How do I define the subjectAltName, since I've tried it already but > > failed... What configuration directives are needed?? > > Which OpenSSL version do you use ? > 0.9.8 should be best. > (additiomally you could try my patch (Ticket 1050 / 1052) which gives > you greater influence setting the entry...) > > An extract from my openssl.cnf: > > [...] > [ ssl_cert ] > > # These extensions are added when 'ca' signs a request. > [...] > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > subjectAltName=email:move,DNS:copy.commonName,DNS:shomitefo.dyndns.org > [...] > > description: > generate an subjectAltName extension containing > 1. an generalName of type emailAddress containing > the email address from the DN of the request (deleted from the DN) > (if set) > 2. an generalName of type dnsName containing a copy of > the DN entry commonName of the request (if set) > (this requires my patch in ticket 1050 / 1052) > 3. an generalName of type dnsName containing my dyndns.org domain. > > Since you are not the first one I point to my patch I would > like somebody from the core team to have a look at it and > include it into the head... > (nag, nag,,, :-) ) > > > Bye > > Goetz > > -- > DMCA: The greed of the few outweighs the freedom of the many ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
