Fedora directory users - Apr 2006 - Re: Hostname does not match CN

> Date: Tue, 04 Apr 2006 11:30:30 -0700
> From: "George Holbert" <gholbert@broadcom.com>
>
>   
>> Does Directory Server support the subjectAltName extension on SSL
certs?
>>   
>>     
>
> Yes, the NSS toolkit which Directory Server uses can handle these certs.
>
> The next question is, do your SSL-enabled LDAP clients support these certs?
> I need to support both Solaris and RedHat Linux LDAP name service 
> clients (i.e., passwd, group, automount, etc.).  I''ve found that:
> - Solaris clients can handle wildcard certs.  RHEL 3 clients
can''t.
> - RHEL 3 clients can handle subjectAltName certs.  Solaris clients
can''t.
>
> So, while the server can present either of these cert types, your 
> clients'' limitations will also influence how you sign your certs.
>
>   
Someone should file a bug report with Sun then, since LDAP RFC2830 
defines support for subjectAltName and not for wildcard certs. The 
LDAPbis specifications will be pretty much the same here. I.e., Sun''s 
LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, 
which are fully LDAPv3 compliant.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

> Someone should file a bug report with Sun then, since LDAP RFC2830 
> defines support for subjectAltName and not for wildcard certs. The 
> LDAPbis specifications will be pretty much the same here. I.e.,
Sun''s
> LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, 
> which are fully LDAPv3 compliant. 
I think 2830 does mention wildcards as acceptable, but I would prefer to 
use subjectAltNames if possible.  So I agree it would be great if Sun 
would add this support to their Solaris LDAP name service client.  I 
believe part of the problem is that the Solaris client uses a fairly 
ancient version of the NSS toolkit (although Sun DS, like Fedora DS, 
uses a much more recent version).


Howard Chu wrote:
>
>> Date: Tue, 04 Apr 2006 11:30:30 -0700
>> From: "George Holbert" <gholbert@broadcom.com>
>>
>>  
>>> Does Directory Server support the subjectAltName extension on SSL 
>>> certs?
>>>       
>>
>> Yes, the NSS toolkit which Directory Server uses can handle these
certs.
>>
>> The next question is, do your SSL-enabled LDAP clients support these 
>> certs?
>> I need to support both Solaris and RedHat Linux LDAP name service 
>> clients (i.e., passwd, group, automount, etc.).  I''ve found
that:
>> - Solaris clients can handle wildcard certs.  RHEL 3 clients
can''t.
>> - RHEL 3 clients can handle subjectAltName certs.  Solaris clients 
>> can''t.
>>
>> So, while the server can present either of these cert types, your 
>> clients'' limitations will also influence how you sign your
certs.
>>
>>   
> Someone should file a bug report with Sun then, since LDAP RFC2830 
> defines support for subjectAltName and not for wildcard certs. The 
> LDAPbis specifications will be pretty much the same here. I.e.,
Sun''s
> LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, 
> which are fully LDAPv3 compliant.
>

Hi, I''m reading openssl.txt to use subjectAltName, but I''m
confused....I
setup openssl.cnf with subjectAltName in this way:

subjectAltName=DNS:ldap.domain.example.com


...after that I maked certificate like suggested from Rob, but it seems
doesn''t work.

I also find this in Sun documentation:

certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com

but if I use this method, when I try to import server certificate:

./shared/bin/certutil -A -d . -n "nodo1.example.com" -t u,u,u -i
tmpcert.der

return an error about adding certificate to token or database.

How can I procede to make certificate with subjectAltName?...


Alex

> I also find this in Sun documentation:
> 
> certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com
> 
Ok, after reading document I see that certutil that cames with FDS
support subjectAltName...so I tried to make server certificate with this
extension but unfortunately doesn''t work; I used the following

# ../shared/bin/certutil -R -d . -s ''CN=nodo1.domain.example.com -o
tmpcertreq -g 1024 -8 ldap.domain.example.com
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com

# ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t
u,u,u
-i tmpcert.der



...I supposed that it was correctly but I''m not sure...I don''t
find
anything about configuration certificate with subjectAltName extention.

Could someone suggest me the right way?

THANKS
Alex

Alex aka Magobin wrote:
>>I also find this in Sun documentation:
>>
>>certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com
>>
>>    
>>
>
>Ok, after reading document I see that certutil that cames with FDS
>support subjectAltName...so I tried to make server certificate with this
>extension but unfortunately doesn''t work; I used the following
>
># ../shared/bin/certutil -R -d . -s ''CN=nodo1.domain.example.com -o
>tmpcertreq -g 1024 -8 ldap.domain.example.com
># ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq
-o
>tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com
>
># ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t
u,u,u
>-i tmpcert.der
>  
>
What errors did you get?
>
>
>...I supposed that it was correctly but I''m not sure...I
don''t find
>anything about configuration certificate with subjectAltName extention.
>
>Could someone suggest me the right way?
>
>THANKS
>Alex
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Alex aka Magobin wrote:
>>I also find this in Sun documentation:
>>
>>certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com
>>
> 
> 
> Ok, after reading document I see that certutil that cames with FDS
> support subjectAltName...so I tried to make server certificate with this
> extension but unfortunately doesn''t work; I used the following
> 
> # ../shared/bin/certutil -R -d . -s ''CN=nodo1.domain.example.com
-o
> tmpcertreq -g 1024 -8 ldap.domain.example.com
> # ../shared/bin/certutil -C -d . -c "CA Certificate" -i
tmpcertreq -o
> tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com
> 
> # ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t
u,u,u
> -i tmpcert.der
> 
> 
> 
> ...I supposed that it was correctly but I''m not sure...I
don''t find
> anything about configuration certificate with subjectAltName extention.
> 
> Could someone suggest me the right way?
Assuming you already have a CA nicknamed ''cacert'' and your
database is
in the directory named ''foo'':

% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq
-g 1024
% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12 
-1 -5 -8 foo.example.com
% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
% certutil -L -d foo -n Alt-Cert
% rm -f tmpcert.der tmpcertreq

-- Cut --
         Signed Extensions:
             Name: Certificate Subject Alt Name
             Data: Sequence {
                 [1]
                     foo.example.com
             }

             Name: Certificate Type
             Data: <SSL Server>
-- Cut --

rob

>
> >Assuming you already have a CA nicknamed ''cacert'' and
your database is
> >in the directory named ''foo'':
> >
> >% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o
tmpcertreq
> >-g 1024
> >% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12
> >-1 -5 -8 foo.example.com
> >% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
> >% certutil -L -d foo -n Alt-Cert
> >% rm -f tmpcert.der tmpcertreq


Thanks as always....at this moment I can''t try because I''m
traveling for
job...but,  reading what you have post....I missed  in my commands "-n
Alt-Cert"...I want try as soon as possible....but where did you have find
that? :-)

Thanks
Alex

Alessandro Binarelli wrote:
>      >Assuming you already have a CA nicknamed
''cacert'' and your database is
>      >in the directory named ''foo'':
>      >
>      >% certutil -R -d foo -s "cn=localhost,dc=example,dc=com"
-o tmpcertreq
>      >-g 1024
>      >% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9
-v 12
>      >-1 -5 -8 foo.example.com <http://foo.example.com>
>      >% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
>      >% certutil -L -d foo -n Alt-Cert
>      >% rm -f tmpcert.der tmpcertreq
> 
> 
> 
> Thanks as always....at this moment I can''t try because
I''m traveling for
> job...but,  reading what you have post....I missed  in my commands "-n
> Alt-Cert"...I want try as soon as possible....but where did you have 
> find that? :-)
Nothing magical, -n is just the certificate nickname and I Server-Cert 
was already used, so I chose Alt-Cert.

rob