>From what I can tell the extensions are just not being added to my
certificate.
I see no indication the extensions were added in the output of the
following command ...
[EMAIL PROTECTED]:Active] ssl.crt # openssl x509 -in
btesting.bx05.com.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
84:36:1d:d4:d4:8b:a6:4d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=xx, L=xx, O=xx, OU=IT, CN=btesting.bx05.aa.com
Validity
Not Before: Sep 19 20:55:41 2007 GMT
Not After : Sep 18 20:55:41 2008 GMT
Subject: C=US, ST=xx, L=xx, O=xxxxxxxxxxxx, OU=IT,
CN=btesting.bx05..com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
...
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
...
Here is my configuration file.
[ req ]
default_bits = 1024
default_md = sha1
#default_keyfile = key1
distinguished_name = req_distinguished_name
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = xx
localityName = xx
organizationName = xx
organizationalUnitName = IT
commonName = btesting.bx05.com
emailAddress = [EMAIL PROTECTED]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature,
keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = btesting.bx05.com
DNS.1 = biptst.bx05.com
Does anyone know why the extensions are not being included?
Thanks,
David
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Murphy, David F
Sent: Wednesday, September 19, 2007 1:07 PM
To: openssl-users@openssl.org
Subject: RE: Configuration file for subjectAltName
I ran the following command,
openssl x509 -text -in certname.crt
but I do not see any of the subjectAltNames from my config file. Is
this the correct command to see the names in the cert?
I am not getting an error, per say, but a common IE warning message
about, "invalid or does not match" when I try and connect to my test
website using an IE browser as a client. This works as expected when my
URL is blah.mysite.com, however when I try using the alt_name
blah002.mysite.com, I get the "invalid or does not match" warning.
This is a self-signed cert so I fully expect to get the 'certificate not
trusted' message, I was attempting to not have the "invalid or does not
match" warning message.
<><><>
commonName = blah.mysite.com
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = blah.mysite.com
DNS.2 = blah002.mysite.com
<><><>
Thanks,
David
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, September 19, 2007 10:04 AM
To: openssl-users@openssl.org
Subject: RE: Configuration file for subjectAltName
> Once I purchase a trusted certificate, I was assuming both of these
> warnings would be removed; I thought a SAN-certificate would allow me
to
> connect to the website using alternative names without getting the
> "invalid or does not match" warning.
>
> Thanks,
>
> David
What error are you getting now? Is it specific about whether the problem
is
that certificate is invalid or that it does not match or what?
The certificate only proves the identity of the server if the client is
using a name that is contained in the certificate, and the client
software
uses the same stored in that place.
What is the client software? What name is it using to access the server?
And
what are the contents of the name fields in the certificate? Is the
certificate signed by an authority the clients are configured to trust?
If
there are any needed intermediate certificates, is the server sending
them
to the clients?
If you're sure it's supposed to work, and it's not, you need to
troubleshoot.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
