Re: wildcard certificate for ..example.com

Alain Spineux Sun, 17 Jun 2007 07:32:42 -0700

Thanks to ALL, I used all of your this to found my way


I finally got what I wanted using the configuration bellow, using
multiple subjectAltName.
I works with IE 6 and 7, Firefox 1.5, 2.0, AND Thunderbird and Outlook
Express using imap and SMTP (TLS ans SSL).

Then every time I update my DNS, adding a new domain I have to update
my certificate.
BUT then clients have to trust this new certificate ... this is annoying !
I will try using a CA root if I can avoid this disagreement.
Maybe you already know the answer ? :-)


Here is the command I used to genereate the working certificate,

# /openssl req -new -x509 -outform PEM -keyform PEM -nodes \
                                  -days 3650 -out cert.pem -keyout key.pem \
                                  -config tmp.req.cnf


and here is the config I used

[ req ]
distinguished_name = req_distinguished_name
default_bits = 1024
prompt = no
x509_extensions = v3_req

string_mask = nombstr

[ req_distinguished_name ]
CN = *.foobar.com

[ v3_req ]
basicConstraints = CA:TRUE
subjectAltName = @alt_names

[ alt_names ]
DNS.1=alpha.loc.customer.example.com
DNS.2=beta.loc.customer.example.com
DNS.3=gamma.loc.customer.example.com


Here are interesting link I used as reference.

The openssl-user thread named "Wildcard ssl certificate using subjectAltName"
that showed me the way, with the useful sample by Victor Duchovni

http://www.nabble.com/Wildcard-ssl-certificate-using-subjectAltName-t1103260.html

the link http://wiki.cacert.org/wiki/VhostTaskForce
contains explore way, but retain only the one using multiple subjectAltName

found in http://wiki.cacert.org/wiki/VhostsApache?action=show :

The CommonName is ignored if you have any SubjectAltName's so the best
thing to do it to repeat the CommonName as a SubjectAltName.



On 6/16/07, Goetz Babin-Ebell <[EMAIL PROTECTED]> wrote:

--On Juni 16, 2007 13:25:33 +0200 Alain Spineux <[EMAIL PROTECTED]> wrote:

> Hello
Hello Alain,

> I would like to create a individual space for all my customers, using
> their own domain name.
>
> For example
>
> debian.org -> debian.org.example.com
> linux.org -> linux.org.example.com
> uk.debian.org -> uk.debian.org.example.com
>
> I tried to create a wildcard certificate for example.com, but it only
> works for foo.example.com
> not for foo.bar.example.com
>
> That way, I can host the service on separate server, totally independent.
> The only one that know them all is the DNS, that is the only one to
> have a backup.

You could stuff all host names in a subjectAltName extension...
At least modern browsers should support it...

Bye

Goetz

--
DMCA: The greed of the few outweights the freedom of the many




--
--
Alain Spineux
aspineux gmail com
May the sources be with you
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Re: wildcard certificate for *.*.example.com

Reply via email to

Re: wildcard certificate for ..example.com