Emmanuel BILLOT
2009-Feb-25 13:52 UTC
[Fedora-directory-users] Creating a Certificate With Multiple Hostnames
Hi, We need to bind on a FDS in sceure mode, with client using several hostname for this server. Is it possible to create a multiple hostname certificate ? BR, -- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
<lambam80@hotmail.com>
2009-Feb-25 15:10 UTC
RE: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames
Wildcard certificates may still work. Netscape unfortunately yanked their pages on the subject so my legacy Bookmarks can''t help you. I''m not sure if the CMS is able to create them, however, the page I remember related to the Netscape Enterprise (read: Web) server. However, I have found a reference: https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html I''ll look at home, tonight, to see if I have the old Netscape pages on disk somewhere but the above link gives you the general idea. Cheers> Date: Wed, 25 Feb 2009 14:52:45 +0100 > From: emmanuel.billot@ird.fr > To: Fedora-directory-users@redhat.com > CC: > Subject: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames > > Hi, > > We need to bind on a FDS in sceure mode, with client using several > hostname for this server. > Is it possible to create a multiple hostname certificate ? > > BR, > > -- > =========================================> Emmanuel BILLOT > IRD - Orléans > Délégation aux Systèmes d''Information (DSI) > tél : 02 38 49 95 88 > =========================================> > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users_________________________________________________________________ Twice the fun—Share photos while you chat with Windows Live Messenger. http://www.microsoft.com/windows/windowslive/products/messenger.aspx
Emmanuel BILLOT
2009-Feb-25 15:45 UTC
Re: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames
lambam80@hotmail.com a écrit :> Wildcard certificates may still work. > > Netscape unfortunately yanked their pages on the subject so my legacy > Bookmarks can''t help you. > > I''m not sure if the CMS is able to create them, however, the page I > remember related to the Netscape > Enterprise (read: Web) server. > > However, I have found a reference: > > https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.htmlI''e found some doc on http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html#certutil-procedure So i tried certutil -R -n "mycert" -s "CN="gaia.toutou.fr", OU="DSI", O="IRD", L="Orleans", C="FR"" -8 "waren.toutou.fr" -t "u,u,u" -m 1001 -v 120 -d . -a -o cert.csr -k rsa -g 1024 -f /tmp/pwdfile I understood it should generate a csr which include NDS alias waren.toutou.fr I signed it with a personnal CA, but a request doesn''t give the second DNS name. Is there any command to check if the what is in the csr file ?> > I''ll look at home, tonight, to see if I have the old Netscape pages on > disk somewhere but the above > link gives you the general idea. > Cheers > > > Date: Wed, 25 Feb 2009 14:52:45 +0100 > > From: emmanuel.billot@ird.fr > > To: Fedora-directory-users@redhat.com > > CC: > > Subject: [Fedora-directory-users] Creating a Certificate With > Multiple Hostnames > > > > Hi, > > > > We need to bind on a FDS in sceure mode, with client using several > > hostname for this server. > > Is it possible to create a multiple hostname certificate ? > > > > BR, > > > > -- > > =========================================> > Emmanuel BILLOT > > IRD - Orléans > > Délégation aux Systèmes d''Information (DSI) > > tél : 02 38 49 95 88 > > =========================================> > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > Twice the fun— Share photos while you chat with Windows Live > Messenger. > <http://www.microsoft.com/windows/windowslive/products/messenger.aspx> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Emmanuel BILLOT
2009-Feb-25 15:56 UTC
Re: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames
lambam80@hotmail.com a écrit :> Wildcard certificates may still work. > > Netscape unfortunately yanked their pages on the subject so my legacy > Bookmarks can''t help you. > > I''m not sure if the CMS is able to create them, however, the page I > remember related to the Netscape > Enterprise (read: Web) server. > > However, I have found a reference: > > https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.htmlOk found how to check my csr # openssl req -text -noout -in cert.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=FR, L=toutou, O=IRD, OU=DSI, CN=gaia.toutou.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b6:c2:60:30:e0:52:bc:49:52:72:c7:16:68:b3: 66:3f:34:4b:7a:cf:3b:da:58:07:e1:10:ec:14:8b: 42:10:89:f1:b7:53:fd:7a:cb:9e:b6:de:bb:61:13: 16:11:91:be:49:c1:75:50:22:40:25:a8:ae:bd:3a: 7b:75:90:2f:1c:33:57:ca:f0:c8:01:c9:0d:8b:56: 80:6e:c1:46:9f:b4:dc:e4:9b:1f:bd:31:be:c9:1d: bf:63:d9:05:14:5a:bf:6e:f5:31:64:6c:14:c0:27: ae:7e:0f:7c:fa:e0:5c:f5:c2:4a:a2:ef:a9:f2:22: f7:7a:27:0a:63:c6:4f:27:75 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:waren.toutou.fr Signature Algorithm: sha1WithRSAEncryption 6b:9f:cd:9c:06:4b:68:c0:8b:95:93:ca:b6:8d:da:be:64:84: 0d:9d:03:8e:50:0b:0f:07:d7:0f:8a:8f:0f:11:d4:09:de:59: 32:dd:95:6a:c0:30:0d:a9:d2:71:76:d7:b6:c0:8f:57:03:fb: be:0f:e3:62:16:e2:39:1f:9c:15:f0:84:ba:6a:57:f7:a8:9b: e4:5a:60:3e:b5:b7:a3:79:ca:11:e0:95:50:fd:ee:56:e2:05: df:8d:ac:0e:f5:e3:31:a7:ea:d3:6e:7a:57:e7:67:fd:11:94: 58:72:cb:ee:f2:64:89:82:e2:b5:a9:8a:ea:a6:b7:1f:b7:84: 2c:60 So it seems that the CA does not recognize the DNS x509_v3 option. How can i know it ?> > I''ll look at home, tonight, to see if I have the old Netscape pages on > disk somewhere but the above > link gives you the general idea. > Cheers > > > Date: Wed, 25 Feb 2009 14:52:45 +0100 > > From: emmanuel.billot@ird.fr > > To: Fedora-directory-users@redhat.com > > CC: > > Subject: [Fedora-directory-users] Creating a Certificate With > Multiple Hostnames > > > > Hi, > > > > We need to bind on a FDS in sceure mode, with client using several > > hostname for this server. > > Is it possible to create a multiple hostname certificate ? > > > > BR, > > > > -- > > =========================================> > Emmanuel BILLOT > > IRD - Orléans > > Délégation aux Systèmes d''Information (DSI) > > tél : 02 38 49 95 88 > > =========================================> > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > Twice the fun— Share photos while you chat with Windows Live > Messenger. > <http://www.microsoft.com/windows/windowslive/products/messenger.aspx> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Marc Sauton
2009-Feb-25 17:26 UTC
Re: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames
Emmanuel BILLOT wrote:> lambam80@hotmail.com a écrit : >> Wildcard certificates may still work. >> >> Netscape unfortunately yanked their pages on the subject so my legacy >> Bookmarks can''t help you. >> >> I''m not sure if the CMS is able to create them, however, the page I >> remember related to the Netscape >> Enterprise (read: Web) server. >> >> However, I have found a reference: >> >> https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html > I''e found some doc on > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html#certutil-procedure > > > So i tried > certutil -R -n "mycert" -s "CN="gaia.toutou.fr", OU="DSI", O="IRD", > L="Orleans", C="FR"" -8 "waren.toutou.fr" -t "u,u,u" -m 1001 -v 120 -d > . -a -o cert.csr -k rsa -g 1024 -f /tmp/pwdfile > > I understood it should generate a csr which include NDS alias > waren.toutou.fr > > I signed it with a personnal CA, but a request doesn''t give the second > DNS name.You may want to review this doc: http://directory.fedoraproject.org/wiki/Howto:SSL> > Is there any command to check if the what is in the csr file ?One xample can be: openssl req -in /var/tmp/some.csr -text|less> > >> >> I''ll look at home, tonight, to see if I have the old Netscape pages >> on disk somewhere but the above >> link gives you the general idea. >> Cheers >> >> > Date: Wed, 25 Feb 2009 14:52:45 +0100 >> > From: emmanuel.billot@ird.fr >> > To: Fedora-directory-users@redhat.com >> > CC: >> > Subject: [Fedora-directory-users] Creating a Certificate With >> Multiple Hostnames >> > >> > Hi, >> > >> > We need to bind on a FDS in sceure mode, with client using several >> > hostname for this server. >> > Is it possible to create a multiple hostname certificate ? >> > >> > BR, >> > >> > -- >> > =========================================>> > Emmanuel BILLOT >> > IRD - Orléans >> > Délégation aux Systèmes d''Information (DSI) >> > tél : 02 38 49 95 88 >> > =========================================>> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users@redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> Twice the fun— Share photos while you chat with Windows Live >> Messenger. >> <http://www.microsoft.com/windows/windowslive/products/messenger.aspx> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >
Emmanuel BILLOT
2009-Feb-26 12:42 UTC
Re: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames
Emmanuel BILLOT a écrit :> lambam80@hotmail.com a écrit : >> Wildcard certificates may still work. >> >> Netscape unfortunately yanked their pages on the subject so my legacy >> Bookmarks can''t help you. >> >> I''m not sure if the CMS is able to create them, however, the page I >> remember related to the Netscape >> Enterprise (read: Web) server. >> >> However, I have found a reference: >> >> https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html > > Ok found how to check my csr > > # openssl req -text -noout -in cert.csr > Certificate Request: > Data: > Version: 0 (0x0) > Subject: C=FR, L=toutou, O=IRD, OU=DSI, CN=gaia.toutou.fr > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:b6:c2:60:30:e0:52:bc:49:52:72:c7:16:68:b3: > 66:3f:34:4b:7a:cf:3b:da:58:07:e1:10:ec:14:8b: > 42:10:89:f1:b7:53:fd:7a:cb:9e:b6:de:bb:61:13: > 16:11:91:be:49:c1:75:50:22:40:25:a8:ae:bd:3a: > 7b:75:90:2f:1c:33:57:ca:f0:c8:01:c9:0d:8b:56: > 80:6e:c1:46:9f:b4:dc:e4:9b:1f:bd:31:be:c9:1d: > bf:63:d9:05:14:5a:bf:6e:f5:31:64:6c:14:c0:27: > ae:7e:0f:7c:fa:e0:5c:f5:c2:4a:a2:ef:a9:f2:22: > f7:7a:27:0a:63:c6:4f:27:75 > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Subject Alternative Name: > DNS:waren.toutou.fr > Signature Algorithm: sha1WithRSAEncryption > 6b:9f:cd:9c:06:4b:68:c0:8b:95:93:ca:b6:8d:da:be:64:84: > 0d:9d:03:8e:50:0b:0f:07:d7:0f:8a:8f:0f:11:d4:09:de:59: > 32:dd:95:6a:c0:30:0d:a9:d2:71:76:d7:b6:c0:8f:57:03:fb: > be:0f:e3:62:16:e2:39:1f:9c:15:f0:84:ba:6a:57:f7:a8:9b: > e4:5a:60:3e:b5:b7:a3:79:ca:11:e0:95:50:fd:ee:56:e2:05: > df:8d:ac:0e:f5:e3:31:a7:ea:d3:6e:7a:57:e7:67:fd:11:94: > 58:72:cb:ee:f2:64:89:82:e2:b5:a9:8a:ea:a6:b7:1f:b7:84: > 2c:60 > > So it seems that the CA does not recognize the DNS x509_v3 option. > > How can i know it ?Actually, CA does not recognize the DNS x509_v3 option. I had to use the copy_extensions = copy option in the openssl.cnf to activate it. Now i can use multiple hostname certs with FDS. -- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================