Using subjectAltName

Using subjectAltName

am 10.10.2002 16:18:48 von camccuk

Hello all,

Sadly I've lost the original mail but someone a few weeks ago mentioned the use of the subjectAltName extension to store domain names in a certificate - can anyone clarify how to do this? I've found a few examples of this on the net and dug through the docs but I can't get it to work for me...

I'm currently using a hacked version of the ssl.ca-0.1 scripts and have the following for my config:

[ req ]
default_bits = 1024
default_keyfile = server.key
distinguished_name = req_distinguished_name
string_mask = nombstr
req_extensions = v3_req
x509_extensions = usr_cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, www.domain.com)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ v3_req ]
nsCertType = server
basicConstraints = critical,CA:false
[ user_cert ]
subjectAltName = DNS:our.domain.co.uk

This always results in "Error Loading extension section usr_cert". A couple of quesions: do I need this DNS prefix? Does it matter what I call the extensions section? How do I specify multiple host names? I found an example which led me to use the x509_extensions tag instead of extensions - what is the difference?

I would be hugely grateful for any pointers...

cam
-----------------------------------------
camccuk@netscape.net


____________________________________________________________ ______
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Using subjectAltName

am 15.10.2002 17:14:05 von camccuk

Hate to repost but I'm completely stumped by this one and have noticed a few related questions for this recently...

>Sadly I've lost the original mail but someone a few weeks ago mentioned the use of the subjectAltName extension to store domain names in a certificate - can anyone clarify how to do this?

Actually it was, er... Harald Koch - sorry to drag you in Harald but do you have details of how to do this or were you using some proprietary solution (Netscape's server products?)

This is the config that doesn't work..

>[ req ]
>default_bits                                    = 1024
>default_keyfile                                 = server.key
>distinguished_name                              = req_distinguished_name
>string_mask                                     = nombstr
>req_extensions                                  = v3_req
>x509_extensions                                 = usr_cert
>[ req_distinguished_name ]
>countryName                                     = Country Name (2 letter code)
>countryName_default                             = GB
>countryName_min                                 = 2
>countryName_max                                 = 2
>stateOrProvinceName                             = State or Province Name (full name)
>localityName                                    = Locality Name (eg, city)
>0.organizationName                              = Organization Name (eg, company)
>organizationalUnitName                  = Organizational Unit Name (eg, section)
>commonName                                      = Common Name (eg, www.domain.com)
>commonName_max                                  = 64
>emailAddress                                    = Email Address
>emailAddress_max                                = 40
>[ v3_req ]
>nsCertType                                      = server
>basicConstraints                                = critical,CA:false
>[ user_cert ]
>subjectAltName                                  = DNS:our.domain.co.uk
>
>This always results in "Error Loading extension section usr_cert". A couple of quesions: do I need this DNS prefix? Does it matter what I call the extensions section? How do I specify multiple host names? I found an example which led me to use the x509_extensions tag instead of extensions - what is the difference?

Once again, eternal gratitude awaits anyone who can shine any light on this...

cam
-----------------------------------------
camccuk@netscape.net


____________________________________________________________ ______
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Using subjectAltName

am 15.10.2002 17:31:11 von Joe Orton

Hi - you might be better of asking these questions on the openssl-users
list.

On Thu, Oct 10, 2002 at 10:18:48AM -0400, camccuk@netscape.net wrote:
...
> x509_extensions = usr_cert

This looks like a simple typo, the above requires a section called
'usr_cert', yet you've actually named the section "user_cert".

> [ user_cert ]
> subjectAltName = DNS:our.domain.co.uk
>
> This always results in "Error Loading extension section usr_cert". A
> couple of quesions: do I need this DNS prefix?

Yes.

> Does it matter what I call the extensions section?

No, AFAIK, so long as it doesn't conflict with any other section

> How do I specify multiple host names?

subjectAltName = DNS:our.domain.co.uk, DNS:another.domain.co.uk, DNS:...

> I found an example which led me to use the x509_extensions tag instead
> of extensions - what is the difference?

Pass.

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Using subjectAltName

am 19.10.2002 15:29:26 von camccuk

Joe Orton wrote:

>Hi - you might be better of asking these questions on the openssl-users
>list.
>
>On Thu, Oct 10, 2002 at 10:18:48AM -0400, camccuk@netscape.net wrote:
>..
>> x509_extensions                                 = usr_cert
>
>This looks like a simple typo, the above requires a section called
>'usr_cert', yet you've actually named the section "user_cert".

Ouch. Cleaned it up for posting - I can confirm that even when correctly spelled, this fails to insert the field into the certificate. A cert is generated but when examined doesn't appear to have any extra fields.

Point taken that this might be slightly OT and I shall try openssl lists.

Thanks for the reply,

cam
-----------------------------------------
camccuk@netscape.net


____________________________________________________________ ______
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org