Fedora directory users - Jan 2010 - [389-users] certificate with subjectAltName

hi,

i''ve created a cert request with "-8" parameter
(subjectAltName),
signed with my own openssl CA and installed on a 389 node.

when i perform an ldapsearch with TLS (-ZZ) i get

  TLS: hostname (ldap.example.com) does not match common name in
certificate (node1.example.com).

i''ve double checked all steps but no success.

any advice?

regards.

-- 
=======================     ^ ^
     O O
    (_ _)
muzzol(a)muzzol.com
=======================jabber id: muzzol(a)jabber.dk
=======================No atribueixis qualitats humanes als ordinadors.
No els hi agrada.
======================="El gobierno español sólo habla con terroristas,
homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal"
Jiménez Losantos
=======================<echelon spamming>
bomb terrorism bush aznar teletubbies
</echelon spamming>

muzzol wrote:
> hi,
>
> i''ve created a cert request with "-8" parameter
(subjectAltName),
> signed with my own openssl CA and installed on a 389 node.
>
> when i perform an ldapsearch with TLS (-ZZ) i get
>   
Did you specify the FQDN with the -h argument?  What hostname did you 
give?  The real hostname or the subjectAltName?
>   TLS: hostname (ldap.example.com) does not match common name in
> certificate (node1.example.com).
>
> i''ve double checked all steps but no success.
>
> any advice?
>
> regards.
>
>

2010/1/4 Rich Megginson <rmeggins@redhat.com>:
> muzzol wrote:
> Did you specify the FQDN with the -h argument?  What hostname did you give?
>  The real hostname or the subjectAltName?
i''ve used FQDN for CN and additional DNS entry for subjectAltName.


anyway, i''ve found that i get a diferent cert when signing it with
OpenSSL (openssl -req) and certutil (-C).

i''ve created a sample CA with certutil and repeated all process. now i
dont get that error anymore.

is this a known behaviour? is there any limitations with
subjectAltName and OpenSSL signing?

anyone using OpenSSL to sign their DS certs?



-- 
=======================     ^ ^
     O O
    (_ _)
muzzol(a)muzzol.com
=======================jabber id: muzzol(a)jabber.dk
=======================No atribueixis qualitats humanes als ordinadors.
No els hi agrada.
======================="El gobierno español sólo habla con terroristas,
homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal"
Jiménez Losantos
=======================<echelon spamming>
bomb terrorism bush aznar teletubbies
</echelon spamming>

On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: 
> 2010/1/4 Rich Megginson <rmeggins@redhat.com>:
> > muzzol wrote:
> > Did you specify the FQDN with the -h argument?  What hostname did you
give?
> >  The real hostname or the subjectAltName?
> 
> i''ve used FQDN for CN and additional DNS entry for subjectAltName.
> 
> 
> anyway, i''ve found that i get a diferent cert when signing it with
> OpenSSL (openssl -req) and certutil (-C).
> 
> i''ve created a sample CA with certutil and repeated all process.
now i
> dont get that error anymore.
> 
> is this a known behaviour? is there any limitations with
> subjectAltName and OpenSSL signing?
> 
> anyone using OpenSSL to sign their DS certs?
> 
> 
> 
We are (via OpenCA) but we are also doing server side key generation -
John

Hello. My two centimes worth.

Although I use OpenSSL in test, I''ve never used altnames - sorry.

In prod we use a comercial CA.  I find that if I want to use one or more 
altname(s) I must also specify the FQDN in the list of altnames.

        Common Name: *
        wiki*.a.b
        Alternate Name (DNS):*
        wiki*.a.b*
        wikisso*.a.b

Cdlt, Dave
---
John A. Sullivan III wrote:
> On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: 
>   
>> 2010/1/4 Rich Megginson <rmeggins@redhat.com>:
>>     
>>> muzzol wrote:
>>> Did you specify the FQDN with the -h argument?  What hostname did
you give?
>>>  The real hostname or the subjectAltName?
>>>       
>> i''ve used FQDN for CN and additional DNS entry for
subjectAltName.
>>
>>
>> anyway, i''ve found that i get a diferent cert when signing it
with
>> OpenSSL (openssl -req) and certutil (-C).
>>
>> i''ve created a sample CA with certutil and repeated all
process. now i
>> dont get that error anymore.
>>
>> is this a known behaviour? is there any limitations with
>> subjectAltName and OpenSSL signing?
>>
>> anyone using OpenSSL to sign their DS certs?
>>
>>
>>
>>     
> We are (via OpenCA) but we are also doing server side key generation -
> John
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Oups, as it''s your own CA, you may want to investigate wildcard 
certificates, also (FQDN: *.domain.com):

       
http://web.archive.org/web/20071124072414/http://wp.netscape.com/eng/security/ssl_2.0_certificate.html

and search for the word encoding (ie. section *Subject Common Name).

Cdlt, Dave
------

*David (Dave) Donnan wrote:
> Hello. My two centimes worth.
>
> Although I use OpenSSL in test, I''ve never used altnames - sorry.
>
> In prod we use a comercial CA.  I find that if I want to use one or 
> more altname(s) I must also specify the FQDN in the list of altnames.
>
>         Common Name: *
>         wiki*.a.b
>         Alternate Name (DNS):*
>         wiki*.a.b*
>         wikisso*.a.b
>
> Cdlt, Dave
> ---
> John A. Sullivan III wrote:
>> On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: 
>>   
>>> 2010/1/4 Rich Megginson <rmeggins@redhat.com>:
>>>     
>>>> muzzol wrote:
>>>> Did you specify the FQDN with the -h argument?  What hostname
did you give?
>>>>  The real hostname or the subjectAltName?
>>>>       
>>> i''ve used FQDN for CN and additional DNS entry for
subjectAltName.
>>>
>>>
>>> anyway, i''ve found that i get a diferent cert when signing
it with
>>> OpenSSL (openssl -req) and certutil (-C).
>>>
>>> i''ve created a sample CA with certutil and repeated all
process. now i
>>> dont get that error anymore.
>>>
>>> is this a known behaviour? is there any limitations with
>>> subjectAltName and OpenSSL signing?
>>>
>>> anyone using OpenSSL to sign their DS certs?
>>>
>>>
>>>
>>>     
>> We are (via OpenCA) but we are also doing server side key generation -
>> John
>>
>> --
>> 389 users mailing list
>> 389-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>   
>

2010/1/5 David (Dave) Donnan
<david.donnan@thalesgroup.com>:
> Hello. My two centimes worth.
>
> Although I use OpenSSL in test, I''ve never used altnames - sorry.
>
> In prod we use a comercial CA.  I find that if I want to use one or more
> altname(s) I must also specify the FQDN in the list of altnames.
>
> Common Name:
> wiki.a.b
> Alternate Name (DNS):
> wiki.a.b
> wikisso.a.b
>
didn''t try that. i''ll give it a shot.

thanks,

muzzol


-- 
=======================     ^ ^
     O O
    (_ _)
muzzol(a)muzzol.com
=======================jabber id: muzzol(a)jabber.dk
=======================No atribueixis qualitats humanes als ordinadors.
No els hi agrada.
======================="El gobierno español sólo habla con terroristas,
homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal"
Jiménez Losantos
=======================<echelon spamming>
bomb terrorism bush aznar teletubbies
</echelon spamming>