Hi, and thanks for your help so far. I tried the first option you specified, but couldn't get it to work. Here is a snippet from my OpenSSL.cnf file
---SNIP--- [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name 1(hostname, IP, or your name) commonName_default = Server1.myDomain.local commonName_max = 64 [ usr_cert ] subjectAltName = Common Name 2(hostname, IP, or your name) subjectAltName_default = Server2.myDomain.local [ server_cert ] basicConstraints = critical,CA:FALSE nsCertType = server ---SNIP--- I still get a "SSL certificate host name mismatch in tcp_connect()" error when I run my server application on Server2. I took this layout from the OpemSSL book I believe, but can you confirm this is the correct way to do it? Goetz, I will try your patch too, but I'd like to be able to do this with a vanilla OpenSSL install. Many thanks again people. Lee. -------------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: 12 May 2006 19:07 To: openssl-users@openssl.org Subject: Re: Multiple commonNames or using subjectAltName problems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Lee, For that you have to store the host names in the subjectAltName extension of the certificate. Either you can do that with a cert section like - -----BEGIN CONFIG SNIPLET----- [ server_cert ] basicConstraints=critical,CA:FALSE nsCertType = server ... subjectAltName=DNS:hostname1.domainname.top,DNS:hostname2.domainname.top - -----END CONFIG SNIPLET----- and you generate a request without a commonName or you can install my patch (ticket #1052 in the request tracker), generate a request with 2 commonNames and generate the cert with - ----BEGIN CONFIG SNIPLET----- [ req_server_name ] ## for the generated request ... 0.commonName = Common Name (hostname) 0.commonName_default = Hostname1.DomainName.local 0.commonName_max = 64 1.commonName = Common Name (hostname) 1.commonName_default = Hostname2.DomainName.local 1.commonName_max = 64 [ cert_server ] basicConstraints=critical,CA:FALSE nsCertType = server ... subjectAltName=email:move,DNS:copy.commonName - -----END CONFIG SNIPLET----- If you want your server cert signed by a public CA, please contact the CA. Bye Goetz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
