-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL 0.9.7j on OpenBSD 4.0
1. Created a cert for host.domain1.tld (a mail server that houses multiple virtual domains, but its real hostname is host.domain1.tld) using the commands and config file listed below 2. Installed the root CA cert and server cert on the server 3. Installed the root CA cert in Thunderbird 2.0.0.4 on OS X 10.4.10 and set Thunderbird to trust it for everything 4. When starting Thunderbird, this message always appears: You have attempted to establish a connection with "host.domain1.tld". However, the security certificate presented belongs to "host.domain1.tld". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site. Note that "host.domain1.tld" is exactly the same string in both cases, and again it's the canonical name of the mail server. What's wrong here? Thanks in advance for clues on troubleshooting this "error." dn Command to generate cert on CA: openssl req -nodes -new -keyout private/host.domain1.tld.key \ -out csrs/host.domain1.tld.csr -extensions server \ -config ./openssl.cnf Command to generate cert: openssl ca -out certs/host.domain1.tld \ -in csrs/host.domain1.tld.csr -extensions server \ -config ./openssl.cnf openssl.cnf: [ ca ] default_ca = CA_default [ CA_default ] dir = . serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ CA_with_exts ] dir = . serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = Network Test Inc. localityName_default = Westlake Village stateOrProvinceName_default = California countryName_default = US organizationalUnitName_default = Engineering emailAddress_default = [EMAIL PROTECTED] [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... # # uncomment subjectAltName for multiple hosts # subjectAltName = @alt_names [alt_names] # # uncomment DNS names (changing as necessary) for multiple hosts # DNS.1 = imap.domain1.tld DNS.2 = mail.domain2.tld DNS.3 = mail.domain3.tld DNS.4 = mail.domain4.tld DNS.5 = mail.domain5.tld DNS.6 = mail.domain6.tld DNS.7 = mail.domain7.tld DNS.8 = mail.domain8.tld [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ client ] # JY ADDED -- Make a cert with nsCertType set to "client" basicConstraints=CA:FALSE nsCertType = client nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFGkYDhyPxGVjntI4IRAsUuAKC+u17wXurnEg+FkMzoL8uC0ALeNwCeL2/9 6FVlvEwnKl4mAxBvuGUD75Q= =mldK -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]