Alex aka Magobin wrote:
>I also find this in Sun documentation:
>
>certutil -R ...-CUT-... -a -8
amserv1.example.com,amserv2.example.com
>
Ok, after reading document I see that certutil that cames with FDS
support subjectAltName...so I tried to make server certificate with this
extension but unfortunately doesn't work; I used the following
# ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o
tmpcertreq -g 1024 -8
ldap.domain.example.com
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120 -1 -5 -8
ldap.domain.example.com
# ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u
-i tmpcert.der
...I supposed that it was correctly but I'm not sure...I don't find
anything about configuration certificate with subjectAltName extention.
Could someone suggest me the right way?
Assuming you already have a CA nicknamed 'cacert' and your database is
in the directory named 'foo':
% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq
-g 1024
% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12
-1 -5 -8
foo.example.com
% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
% certutil -L -d foo -n Alt-Cert
% rm -f tmpcert.der tmpcertreq
-- Cut --
Signed Extensions:
Name: Certificate Subject Alt Name
Data: Sequence {
[1]
foo.example.com
}
Name: Certificate Type
Data: <SSL Server>
-- Cut --
rob