Without any guarantees:The order of attributs in the distinguished name section may be important. If you
have a country code, start with this as a first attribut. You may not want to put an email address into the DN?
I'd recommend to use _value fields in order to avoid prompting. In order to get multiple subject altname, you need probably something like into a file my.cnf [ req ] default_bits = 1024 distingushed_name = req_distinguished_name default_md = sha1 [req_distinguished_name] countryName = "Country Name" countryName_value = WW organisationName ="organisation" organisationName_value ="your organisation" commonName = "Common Nam" commonName_value= "*.your.dom" [ server_cert ] 0.subjectAltName = DNS:ervername1.your.dom 1.subjectAltName = DNS:servername2.your.dom keyusage = critical,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage = serverAuth You then just needopenssl req -config my.cnf -newkey rsa:1024 -keyout my.key -new -reqexts server_cert -out my csr
Lee Colclough wrote:
Hi, and thanks for your help so far. I tried the first option you specified, but couldn't get it to work. Here is a snippet from my OpenSSL.cnf file ---SNIP--- [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name 1(hostname, IP, or your name) commonName_default = Server1.myDomain.local commonName_max = 64 [ usr_cert ] subjectAltName = Common Name 2(hostname, IP, or your name) subjectAltName_default = Server2.myDomain.local [ server_cert ] basicConstraints = critical,CA:FALSE nsCertType = server ---SNIP--- I still get a "SSL certificate host name mismatch in tcp_connect()" error when I run my server application on Server2. I took this layout from the OpemSSL book I believe, but can you confirm this is the correct way to do it? Goetz, I will try your patch too, but I'd like to be able to do this with a vanilla OpenSSL install. Many thanks again people. Lee. -------------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: 12 May 2006 19:07 To: openssl-users@openssl.org Subject: Re: Multiple commonNames or using subjectAltName problems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Lee, For that you have to store the host names in the subjectAltName extension of the certificate. Either you can do that with a cert section like - -----BEGIN CONFIG SNIPLET----- [ server_cert ] basicConstraints=critical,CA:FALSE nsCertType = server ... subjectAltName=DNS:hostname1.domainname.top,DNS:hostname2.domainname.top - -----END CONFIG SNIPLET----- and you generate a request without a commonName or you can install my patch (ticket #1052 in the request tracker), generate a request with 2 commonNames and generate the cert with - ----BEGIN CONFIG SNIPLET----- [ req_server_name ] ## for the generated request ... 0.commonName = Common Name (hostname) 0.commonName_default = Hostname1.DomainName.local 0.commonName_max = 64 1.commonName = Common Name (hostname) 1.commonName_default = Hostname2.DomainName.local 1.commonName_max = 64 [ cert_server ] basicConstraints=critical,CA:FALSE nsCertType = server ... subjectAltName=email:move,DNS:copy.commonName - -----END CONFIG SNIPLET----- If you want your server cert signed by a public CA, please contact the CA. Bye Goetz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
