In the config of OpenSSL use next:
[ user_cert ]
basicConstraints = critical,CA:false
subjectKeyIdentifier = hash
subjectAltName =IP:[your server IP] OR
subjectAltName = email:copy OR
subjectAltName = URI: [your.site.com ]
end etc.
Phil wrote:
Hi Rodney,
Thanks for the reply.
What I have is a cert request from a 2003 server with the following as
an example:
Subject Name (SN): servername.domainname.com.au
Subject Alternative Name (SAN): AlternateServername.domainname.com.au
I am far from an expert on certificates, but I know these can be
signed from a Windows 2003 CA or say Verisign with the following
options:
Server Authentication
Client Authentication
Subject Name (as above)
Subject Alternative Name (as above)
So I have certificates like these signed from the above mentioned
CA's, but I am looking to sign these requests myself with the same
parameters using something like Open SSL.
The initial cert requests are done with utilities that come with
Microsoft products. One Microsoft product that I am using at the
moment is the Certificate Wizard that comes with OCS 2007 that allows
you to choose the SN and SAN, or even multiple SAN's.
Like I mentioned, I am not an expert on SSL certs, so I am looking to
get pointers in the right direction on where to investigate\read so I
can get my head around how this could be achieved.
I will investigate more of what you have mentioned below, but if you
have more feedback then that is welcomed.
Thank you.
Phil.
On Nov 10, 2007 3:08 AM, Rodney Thayer <[EMAIL PROTECTED]> wrote:
Are you saying you have a Microsoft Windows 2003 Server system
that has already created a certificate request (PKCS-10 formatted
data file) with multiple subjectaltname's, and you would like
an OpenSSL-based CA to sign it and grant it "server authentication"
and "client authentication" key usage?
You wouldn't happen to have a reference as to how you cooked
this certificate request, do you?
w.r.t. server-auth and client-auth, it's something the CA
grants, I believe. I think that if you look around for
list posts discussing manipulating the inside of openssl.cnf
to provide such a thing that may help. I believe that goes
in the "ca policy" section.
I don't recall pkcs-10 being capable of supporting a certificate
request that's got subjectaltnames - that'd be interesting
to share if you know how to do that...
Phil wrote:
Hi there,
Up to now I have ever only done certs for web servers which are quite
straight forward.
I now have the requirement to fulfill requests with the following:
multiple subject alternative names
server authentication
client authentication
If anyone can pass on info or point me in the right direction of other
posts, that would be great. I need to know how to take a request from
a windows server and sign in correctly with all these options.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
