[Fedora-directory-users] Re: SubjectAltName how does it work?
Rob Crittenden
rcritten at redhat.com
Thu Apr 6 14:38:15 UTC 2006
Alex aka Magobin wrote:
>>I also find this in Sun documentation:
>>
>>certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com
>>
>
>
> Ok, after reading document I see that certutil that cames with FDS
> support subjectAltName...so I tried to make server certificate with this
> extension but unfortunately doesn't work; I used the following
>
> # ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o
> tmpcertreq -g 1024 -8 ldap.domain.example.com
> # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
> tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com
>
> # ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u
> -i tmpcert.der
>
>
>
> ...I supposed that it was correctly but I'm not sure...I don't find
> anything about configuration certificate with subjectAltName extention.
>
> Could someone suggest me the right way?
Assuming you already have a CA nicknamed 'cacert' and your database is
in the directory named 'foo':
% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq
-g 1024
% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12
-1 -5 -8 foo.example.com
% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
% certutil -L -d foo -n Alt-Cert
% rm -f tmpcert.der tmpcertreq
-- Cut --
Signed Extensions:
Name: Certificate Subject Alt Name
Data: Sequence {
[1]
foo.example.com
}
Name: Certificate Type
Data: <SSL Server>
-- Cut --
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060406/7f876a9a/attachment.bin>
More information about the 389-users
mailing list