[Fedora-directory-users] Creating a Certificate With Multiple Hostnames

List overview All Threads
Download

newer

older

[Fedora-directory-users] Password...

Re: Re: [Fedora-directory-users]...

Emmanuel BILLOT

25 Feb 2009 25 Feb '09

2:52 p.m.

Hi,

We need to bind on a FDS in sceure mode, with client using several hostname for this server. Is it possible to create a multiple hostname certificate ?

BR,

-- ========================================== Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

Show replies by date

lambam80＠hotmail.com

25 Feb 25 Feb

4:10 p.m.

Wildcard certificates may still work.

Netscape unfortunately yanked their pages on the subject so my legacy Bookmarks can't help you.

I'm not sure if the CMS is able to create them, however, the page I remember related to the Netscape

Enterprise (read: Web) server.

However, I have found a reference:

https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html

I'll look at home, tonight, to see if I have the old Netscape pages on disk somewhere but the above

link gives you the general idea.

Cheers

...

Date: Wed, 25 Feb 2009 14:52:45 +0100 From: emmanuel.billot@ird.fr To: Fedora-directory-users@redhat.com CC: Subject: [Fedora-directory-users] Creating a Certificate With Multiple Hostnames

Hi,

We need to bind on a FDS in sceure mode, with client using several hostname for this server. Is it possible to create a multiple hostname certificate ?

BR,

--

Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

_________________________________________________________________ Twice the fun—Share photos while you chat with Windows Live Messenger. http://www.microsoft.com/windows/windowslive/products/messenger.aspx

Emmanuel BILLOT

4:45 p.m.

lambam80@hotmail.com a écrit :

...

Wildcard certificates may still work.

Netscape unfortunately yanked their pages on the subject so my legacy Bookmarks can't help you.

I'm not sure if the CMS is able to create them, however, the page I remember related to the Netscape Enterprise (read: Web) server.

However, I have found a reference:

https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html

I'e found some doc on http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_cert...

So i tried certutil -R -n "mycert" -s "CN="gaia.toutou.fr", OU="DSI", O="IRD", L="Orleans", C="FR"" -8 "waren.toutou.fr" -t "u,u,u" -m 1001 -v 120 -d . -a -o cert.csr -k rsa -g 1024 -f /tmp/pwdfile

I understood it should generate a csr which include NDS alias waren.toutou.fr

I signed it with a personnal CA, but a request doesn't give the second DNS name.

Is there any command to check if the what is in the csr file ?

...

I'll look at home, tonight, to see if I have the old Netscape pages on disk somewhere but the above link gives you the general idea. Cheers

...
Date: Wed, 25 Feb 2009 14:52:45 +0100 From: emmanuel.billot@ird.fr To: Fedora-directory-users@redhat.com CC: Subject: [Fedora-directory-users] Creating a Certificate With

Multiple Hostnames

...
Hi,

We need to bind on a FDS in sceure mode, with client using several hostname for this server. Is it possible to create a multiple hostname certificate ?

BR,

--

Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Twice the fun— Share photos while you chat with Windows Live Messenger.

http://www.microsoft.com/windows/windowslive/products/messenger.aspx

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- ========================================== Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

Marc Sauton

6:26 p.m.

Emmanuel BILLOT wrote:

...

lambam80@hotmail.com a écrit :

...
Wildcard certificates may still work.

Netscape unfortunately yanked their pages on the subject so my legacy Bookmarks can't help you.

I'm not sure if the CMS is able to create them, however, the page I remember related to the Netscape Enterprise (read: Web) server.

However, I have found a reference:

https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html

I'e found some doc on http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_cert...

So i tried certutil -R -n "mycert" -s "CN="gaia.toutou.fr", OU="DSI", O="IRD", L="Orleans", C="FR"" -8 "waren.toutou.fr" -t "u,u,u" -m 1001 -v 120 -d . -a -o cert.csr -k rsa -g 1024 -f /tmp/pwdfile

I understood it should generate a csr which include NDS alias waren.toutou.fr

I signed it with a personnal CA, but a request doesn't give the second DNS name.

You may want to review this doc: http://directory.fedoraproject.org/wiki/Howto:SSL

...

Is there any command to check if the what is in the csr file ?

One xample can be: openssl req -in /var/tmp/some.csr -text|less

...

...
I'll look at home, tonight, to see if I have the old Netscape pages on disk somewhere but the above link gives you the general idea. Cheers

...
Date: Wed, 25 Feb 2009 14:52:45 +0100 From: emmanuel.billot@ird.fr To: Fedora-directory-users@redhat.com CC: Subject: [Fedora-directory-users] Creating a Certificate With

Multiple Hostnames

...
Hi,

We need to bind on a FDS in sceure mode, with client using several hostname for this server. Is it possible to create a multiple hostname certificate ?

BR,

--

Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Twice the fun— Share photos while you chat with Windows Live Messenger.

http://www.microsoft.com/windows/windowslive/products/messenger.aspx

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Emmanuel BILLOT

4:56 p.m.

lambam80@hotmail.com a écrit :

...

Wildcard certificates may still work.

Netscape unfortunately yanked their pages on the subject so my legacy Bookmarks can't help you.

I'm not sure if the CMS is able to create them, however, the page I remember related to the Netscape Enterprise (read: Web) server.

However, I have found a reference:

https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html

Ok found how to check my csr

# openssl req -text -noout -in cert.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=FR, L=toutou, O=IRD, OU=DSI, CN=gaia.toutou.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b6:c2:60:30:e0:52:bc:49:52:72:c7:16:68:b3: 66:3f:34:4b:7a:cf:3b:da:58:07:e1:10:ec:14:8b: 42:10:89:f1:b7:53:fd:7a:cb:9e:b6:de:bb:61:13: 16:11:91:be:49:c1:75:50:22:40:25:a8:ae:bd:3a: 7b:75:90:2f:1c:33:57:ca:f0:c8:01:c9:0d:8b:56: 80:6e:c1:46:9f:b4:dc:e4:9b:1f:bd:31:be:c9:1d: bf:63:d9:05:14:5a:bf:6e:f5:31:64:6c:14:c0:27: ae:7e:0f:7c:fa:e0:5c:f5:c2:4a:a2:ef:a9:f2:22: f7:7a:27:0a:63:c6:4f:27:75 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:waren.toutou.fr Signature Algorithm: sha1WithRSAEncryption 6b:9f:cd:9c:06:4b:68:c0:8b:95:93:ca:b6:8d:da:be:64:84: 0d:9d:03:8e:50:0b:0f:07:d7:0f:8a:8f:0f:11:d4:09:de:59: 32:dd:95:6a:c0:30:0d:a9:d2:71:76:d7:b6:c0:8f:57:03:fb: be:0f:e3:62:16:e2:39:1f:9c:15:f0:84:ba:6a:57:f7:a8:9b: e4:5a:60:3e:b5:b7:a3:79:ca:11:e0:95:50:fd:ee:56:e2:05: df:8d:ac:0e:f5:e3:31:a7:ea:d3:6e:7a:57:e7:67:fd:11:94: 58:72:cb:ee:f2:64:89:82:e2:b5:a9:8a:ea:a6:b7:1f:b7:84: 2c:60

So it seems that the CA does not recognize the DNS x509_v3 option.

How can i know it ?

...

I'll look at home, tonight, to see if I have the old Netscape pages on disk somewhere but the above link gives you the general idea. Cheers

...
Date: Wed, 25 Feb 2009 14:52:45 +0100 From: emmanuel.billot@ird.fr To: Fedora-directory-users@redhat.com CC: Subject: [Fedora-directory-users] Creating a Certificate With

Multiple Hostnames

...
Hi,

We need to bind on a FDS in sceure mode, with client using several hostname for this server. Is it possible to create a multiple hostname certificate ?

BR,

--

Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Twice the fun— Share photos while you chat with Windows Live Messenger.

http://www.microsoft.com/windows/windowslive/products/messenger.aspx

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- ========================================== Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

Emmanuel BILLOT

26 Feb 26 Feb

1:42 p.m.

Emmanuel BILLOT a écrit :

...

lambam80@hotmail.com a écrit :

...
Wildcard certificates may still work.

Netscape unfortunately yanked their pages on the subject so my legacy Bookmarks can't help you.

I'm not sure if the CMS is able to create them, however, the page I remember related to the Netscape Enterprise (read: Web) server.

However, I have found a reference:

https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html

Ok found how to check my csr

# openssl req -text -noout -in cert.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=FR, L=toutou, O=IRD, OU=DSI, CN=gaia.toutou.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b6:c2:60:30:e0:52:bc:49:52:72:c7:16:68:b3: 66:3f:34:4b:7a:cf:3b:da:58:07:e1:10:ec:14:8b: 42:10:89:f1:b7:53:fd:7a:cb:9e:b6:de:bb:61:13: 16:11:91:be:49:c1:75:50:22:40:25:a8:ae:bd:3a: 7b:75:90:2f:1c:33:57:ca:f0:c8:01:c9:0d:8b:56: 80:6e:c1:46:9f:b4:dc:e4:9b:1f:bd:31:be:c9:1d: bf:63:d9:05:14:5a:bf:6e:f5:31:64:6c:14:c0:27: ae:7e:0f:7c:fa:e0:5c:f5:c2:4a:a2:ef:a9:f2:22: f7:7a:27:0a:63:c6:4f:27:75 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:waren.toutou.fr Signature Algorithm: sha1WithRSAEncryption 6b:9f:cd:9c:06:4b:68:c0:8b:95:93:ca:b6:8d:da:be:64:84: 0d:9d:03:8e:50:0b:0f:07:d7:0f:8a:8f:0f:11:d4:09:de:59: 32:dd:95:6a:c0:30:0d:a9:d2:71:76:d7:b6:c0:8f:57:03:fb: be:0f:e3:62:16:e2:39:1f:9c:15:f0:84:ba:6a:57:f7:a8:9b: e4:5a:60:3e:b5:b7:a3:79:ca:11:e0:95:50:fd:ee:56:e2:05: df:8d:ac:0e:f5:e3:31:a7:ea:d3:6e:7a:57:e7:67:fd:11:94: 58:72:cb:ee:f2:64:89:82:e2:b5:a9:8a:ea:a6:b7:1f:b7:84: 2c:60

So it seems that the CA does not recognize the DNS x509_v3 option.

How can i know it ?

Actually, CA does not recognize the DNS x509_v3 option. I had to use the

copy_extensions = copy

option in the openssl.cnf to activate it. Now i can use multiple hostname certs with FDS.

-- ========================================== Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d'Information (DSI) tél : 02 38 49 95 88 ==========================================

6126

Age (days ago)

6127

Last active (days ago)

389-users@lists.fedoraproject.org

5 comments

3 participants

tags (0)

participants (3)

Emmanuel BILLOT
lambam80＠hotmail.com
Marc Sauton