On Thu, Jan 05, 2006 at 03:17:41PM +0100, Dr. Stephen Henson wrote: > On Thu, Jan 05, 2006, Koos Vriezen wrote: > > > > > I really want this for my certicates, as the same webserver is used for > > various domains in our setup. I can't get this working though. > > I've started with http://www.eclectica.ca/howto/ssl-cert-howto.php#cnfig > > and the commands I do are (in directory containing this openssl.cnf): > > > > mkdir newcerts private > > echo '01' > serial > > touch index.txt > > openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \ > > -out cacert.pem -days 3650 -config ./openssl.cnf > > openssl req -new -nodes -out req.pem -config ./openssl.cnf > > openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem > > > > all according the above mentioned document. And if I run > > > > openssl x509 -in cert.pem -text > > > > I should see the subjectAltName when inserted in the openssl.cnf (at > > least according to http://wiki.cacert.org/wiki/VhostTaskForce and > > firefox is heavily complaining with a domain mismatch). > > > > I've tried it in sections v3_ca/v3_req/ssl_cert all without luck. I must > > do something wrong, but sinse there are some many variables, maybe one > > can assist me where I should put the line: > > > > subjectAltName=email:move,DNS:copy.commonName,DNS:foo.com,DNS:foo.nl,\ > > DNS:bar.com,DNS:zzz.intern > > > > Your problem is that that non-standard openssl.cnf from that site doesn't > include an X509 extensions section for the "ca" command at all!
Ok, sorry about that. I'm not trying to be a ssl expert or developer, just trying to get firefox to shut up on this. So I went for the demo provide by a debian news mail and google. Btw. I wonder why this docu is so scatter over the net, as I guess that most public webserver will have multible domain names (atleast an internal one and a public one) > You'd be better off starting from the standard openssl.cnf configuration file > and using the standard CA.pl script from OpenSSL. > > Another problem above is the manual setup of the serial number file. This can > create certificates with duplicate serial numbers which can cause all manner > of hard to trace problems later on... > > CA.pl can do most of the above safely: the first four commands are covered by > "CA.pl -newca". Note: if you are using OpenSSL 0.9.8 then use the latest > snapshot because that fixes a bug in CA.pl. Ah so simple, the default openssl.cnf already has commented subjectAltName entries too. I used the CA.pl from debian/testing, which is 0.9.8a-3, and the last two commands ran perfectly. Works now with firefox too. Thanks very much, you saved my day! Koos > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] ***************DISCLAIMER*************** Bewijs van Afstand: Dit emailbericht is slechts bestemd voor de personen aan wie het is gericht en kan informatie bevatten die persoonlijk of vertrouwelijk is en niet openbaar mag worden gemaakt zonder goedkeuring van de auteur. Indien u dit bericht per vergissing heeft ontvangen, verzoeken wij u ons op de hoogte te stellen en het bericht te vernietigen zonder het te kopiƫren of te distribueren. Ons bedrijf staat niet in voor juiste en volledige overbrenging van de inhoud van een verzonden bericht, noch voor de tijdige ontvangst daarvan. Disclaimer: This E-mail is for use of the intended recipient(s) only and can contain information that is personal or confidential. It is prohibited to distribute the content of this message without the author's prior permission. If you have received it in error, please notify the sender and immediately delete this message without distributing or retaining copies hereof. Our company is not responsible for the comprehensiveness of this message nor it's time of delivery. ********************************************* ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
