I've solved this problem. I created file ip.ext with: subjectAltName=IP:10.5.19.191
To sign certificate I used: openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt > /etc/ssl/ilocert.pem Everything works well! Thanks Jakob Bohm-7 wrote: > > Depending on the CA you use, you may be able to issue a certificate with > CN=some-ILO-name,OU=... > > AND > > SubjectAlternativeName: IP:1.2.3.4 > > If the ILO configuration accepts that cert, then there is a good chance > you browser would accept the cert for both "https://some-ILO-name/"; and > "https://1.2.3.4/"; > > On 24-07-2010 16:19, michu162 wrote: >> >> So what i should do to avoid warnings? >> CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch >> is >> automatically generated by device. I can't upload other certificate (with >> other CN) because i got alert that certificate doesn't match the >> request. >> Is possible to access device via IP without warnings? >> >> michu162 wrote: >>> >>> I generated the ssl request, I signed it in my CA (openssl) and uploaded >>> signed certificate back to device. >>> I generated also ca.der and uploaded it to my Internet browser. When I >>> trying open ilo my browser give a warning about a mismatched hostname. >>> >>> I'm accessing this device via IP address. >>> I don't want add this addresses to my DNS. >>> >>> In certificate request was: >>> CN = some-iLO-2-Subsystem-Name >>> OU = ISS >>> O = Hewlett-Packard Development Company >>> ST = Texas >>> C = US >>> >>> In my CA certificate, witch I used to sign the request I've got: >>> CN = in...@mycompany.com >>> C = US >>> ST = MyState >>> L = myCity >>> E = in...@mycompany.com >>> OU = Infrastructure >>> O = MyCompany SP zoo >>> >>> What should I do to connect to ilo without any warnings? >>> >>> To create my own CA i used: >>> openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out >>> cacert.pem -days 3650 -config ./openssl.cnf >>> >>> To sign my certificate request i used: >>> openssl ca -notext -in /etc/ssl/req.txt> /etc/ssl/ilocert.pem >>> >>> My OpenSSL configuration file: >>> # >>> >>> # Establish working directory. >>> >>> dir = /etc/ssl >>> >>> [ ca ] >>> default_ca = CA_default >>> >>> [ CA_default ] >>> serial = $dir/serial >>> database = $dir/index.txt >>> new_certs_dir = $dir/certs >>> certificate = $dir/cacert.pem >>> private_key = $dir/private/cakey.pem >>> default_days = 3650 >>> default_md = md5 >>> preserve = no >>> email_in_dn = no >>> nameopt = default_ca >>> certopt = default_ca >>> policy = policy_match >>> >>> [ policy_match ] >>> countryName = optional >>> stateOrProvinceName = optional >>> organizationName = optional >>> organizationalUnitName = optional >>> commonName = supplied >>> emailAddress = optional >>> >>> [ req ] >>> default_bits = 1024 # Size of keys >>> default_keyfile = key.pem # name of generated keys >>> default_md = md5 # message digest >>> algorithm >>> string_mask = nombstr # permitted characters >>> distinguished_name = req_distinguished_name >>> req_extensions = v3_req >>> >>> [ req_distinguished_name ] >>> # Variable name Prompt string >>> #------------------------- ---------------------------------- >>> 0.organizationName = Organization Name (company) >>> organizationalUnitName = Organizational Unit Name >>> (department, >>> division) >>> emailAddress = Email Address >>> emailAddress_max = 40 >>> localityName = Locality Name (city, district) >>> stateOrProvinceName = State or Province Name (full name) >>> countryName = Country Name (2 letter code) >>> countryName_min = 2 >>> countryName_max = 2 >>> commonName = Common Name (hostname, IP, or your name) >>> commonName_max = 64 >>> >>> # Default values for the above, for consistency and less typing. >>> # Variable name Value >>> #------------------------ ------------------------------ >>> 0.organizationName_default = My Company >>> localityName_default = My Town >>> stateOrProvinceName_default = State or Providence >>> countryName_default = US >>> >>> [ v3_ca ] >>> basicConstraints = CA:TRUE >>> subjectKeyIdentifier = hash >>> authorityKeyIdentifier = keyid:always,issuer:always >>> >>> [ v3_req ] >>> basicConstraints = CA:FALSE >>> subjectKeyIdentifier = hash >>> >>> Can anyone help me? >>> >>> >> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Why-does-my-browser-give-a-warning-about-a-mismatched-hostname-tp29237337p29264553.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
