On 18/09/2022 11:09, Stuart Henderson wrote:
On 2022-09-14, Goetz Schultz <dovecot.expire1...@suelze.de> wrote:
I had the same issue on TB102. Self-Signed certificates rejected despite
having the CA installed correctly as authority. Turns out out that that
TB now wants extension "Subject Alt Names". Added that and all works
now. Seems another Google pressed issue being introduced (my Chromium
had same issues and rejected certs before I added SAN).
It's not just a "Google pressed issue".
Seems I was a hasty in blaming .....
[..]
Practically this means you need to make sure that if you use self-
signed or internal CA certificates you include subjectAlternativeName
otherwise they won't work with some client software. If you use public
CA-signed certs you typically don't need to do this yourself because
the CA adds SAN if missing from the CSR (their only other option is
to reject issuance).
Thanks for the elaboration. I have it now under control to sign certs
that have a SAN in the CSR.
Thanks and regards
Goetz R Schultz
---------------->8----------------
Quis custodiet ipsos custodes?
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
----------------8<----------------
---------------------------->8------------------------------
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------
Unsigned message - no responsibillity that content is not altered
