Re: Wildcard ssl certificate using subjectAltName

Tue, 14 Feb 2006 12:51:23 -0800 




From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Wildcard ssl certificate using subjectAltName
Date: Tue, 14 Feb 2006 13:38:33 +0100

On Mon, Feb 13, 2006, Khai Doan wrote:

> Can I have
>
> subjectAltName = critical,DNS:*.hostname.com
>
> What other things are possible here (DNS, IP, email, URI, etc) ?
>

Did you  read the manual page I referenced:

http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

That tells you what can be used there with some examples.



I read the manual page you referenced, but RFC seems to mention dNSName, and 
when I try it


subjectAltName = critical,dNSName:*.domain.com

openssl give me error, so I am confused.



> Using IP:192.168.10.16 and DNS:*.hostname.com does not seems to work
> (Internet Explorer throw up a warning dialog: The name on the security
> certificates is invalid or does not match the name of the site).
>

If it is now appears in "extensions" in the certificate then that
probably means IE doesn't support it.

>

> Has anyone successfully create a wild card certificate that bind to an 
IP

> address ?
>

That is illegal. You can only specify a single IP address per entry.


Why don't you explain what you are trying to do? There may be an 
alternative

method to achieve what you want.



I am trying to create a certificate (either host base or service base, in 
this case it is for the web).  The idea is: the browser open a connection 
using whatever IP address that DNS give, use this IP to compare with the IP 
address presented in the certificate.  This should work regardless of the 
hostname of the URL whether it is a.domain.com or b.domain.com or 
a.b.domain.com or *.domain.com or *.*.domain.com where * can be anything.  
In my environment, I literally have thousand identity that need to fit into 
the wildcard, and I rather not list them all using subjectAltName.  I rather 
use:



subjectAltName = 
critical,DNS:*.hostname.com,DNS:*.*.hostname.com,IP:192.168.10.16



and I rather not create thousand of IP-based virtual host (inside apache 
httpd.conf).  I really want host based or service based certificate.



For this to work, do I need to run DNSSEC ? (This service can be outsource 
to a third party DNS service provider, where their certificate can be 
independently verified).


Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to