Franck
Martin
Network and Database
Development Officer
SOPAC South Pacific
Applied Geoscience Commission
Fiji
E-mail: [EMAIL PROTECTED]
Web site: http://www.sopac.org/
Support FMaps: http://fmaps.sourceforge.net/
This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC.
-----Original Message-----
From: Liam Helmer - Lists [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 20 November 2001 2:03
To: '[EMAIL PROTECTED]'
Subject: Got a minute? Openssl/Windows 2000 CA interopI looked all around the net, and the one document I found
http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt (or the openssl.txt)
That talks about unsupported subjectAltName tags.
So, following those instructions, I've included the cert request, and certnew,cer, the binary encoded certificate. Anyone have suggestions for this here?
In text format, here's the problem I'm getting. I'm generating a certificate request using openssl with a subjectAltName. I'm doing it as follows:
subjectAltName = FQDN for ipsec ID
subjectAltName_min = 7
subjectAltName_max = 256
subjectAltName_default = dnsName:fqdn.of.the.serverThis lets me enter in the DNS name of the server for use with FreeS/WAN ipsec (www.freeswan.org) with x509 certificates (http://www.strongsec.com/freeswan/, and specifically http://www.strongsec.com/freeswan/install.htm#section_7.2)
My organization is big on Microsoft... so I'm attempting to use the M$ certificate services to issue the certs. So, I send the request below, which contains the correct subjectAltName extension:
Attributes:
X509v3 Subject Alternative Name:dnsName:van-test-firewall.van.voyus.com(Incidentally, I also tried using DNS:van-test-firewall.van.voyus.com, which got the same results. AFAICT, DNS: is an alias for dnsName:, so I tried that instead on this round).
Then, I get the cert request approved using the windows 2000 ca, and it comes back like this:
X509v3 Subject Alternative Name:
othername:<unsupported>Now... I'm greatly familiar with interoperability problems using M$ products, but, I was curious if anyone knew of anything I can do to make this work. I'm also going to contact MS about this one... I can find no information about this on their support site of course.
I'm using openssl-0.96a.
Thanks in advance!
Liam