>From what I can tell the extensions are just not being added to my certificate.
I see no indication the extensions were added in the output of the following command ... [EMAIL PROTECTED]:Active] ssl.crt # openssl x509 -in btesting.bx05.com.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 84:36:1d:d4:d4:8b:a6:4d Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=xx, L=xx, O=xx, OU=IT, CN=btesting.bx05.aa.com Validity Not Before: Sep 19 20:55:41 2007 GMT Not After : Sep 18 20:55:41 2008 GMT Subject: C=US, ST=xx, L=xx, O=xxxxxxxxxxxx, OU=IT, CN=btesting.bx05..com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): ... Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption ... Here is my configuration file. [ req ] default_bits = 1024 default_md = sha1 #default_keyfile = key1 distinguished_name = req_distinguished_name prompt = no string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] countryName = US stateOrProvinceName = xx localityName = xx organizationName = xx organizationalUnitName = IT commonName = btesting.bx05.com emailAddress = [EMAIL PROTECTED] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = btesting.bx05.com DNS.1 = biptst.bx05.com Does anyone know why the extensions are not being included? Thanks, David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murphy, David F Sent: Wednesday, September 19, 2007 1:07 PM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName I ran the following command, openssl x509 -text -in certname.crt but I do not see any of the subjectAltNames from my config file. Is this the correct command to see the names in the cert? I am not getting an error, per say, but a common IE warning message about, "invalid or does not match" when I try and connect to my test website using an IE browser as a client. This works as expected when my URL is blah.mysite.com, however when I try using the alt_name blah002.mysite.com, I get the "invalid or does not match" warning. This is a self-signed cert so I fully expect to get the 'certificate not trusted' message, I was attempting to not have the "invalid or does not match" warning message. <><><> commonName = blah.mysite.com subjectAltName = @alt_names [ alt_names ] DNS.1 = blah.mysite.com DNS.2 = blah002.mysite.com <><><> Thanks, David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Wednesday, September 19, 2007 10:04 AM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName > Once I purchase a trusted certificate, I was assuming both of these > warnings would be removed; I thought a SAN-certificate would allow me to > connect to the website using alternative names without getting the > "invalid or does not match" warning. > > Thanks, > > David What error are you getting now? Is it specific about whether the problem is that certificate is invalid or that it does not match or what? The certificate only proves the identity of the server if the client is using a name that is contained in the certificate, and the client software uses the same stored in that place. What is the client software? What name is it using to access the server? And what are the contents of the name fields in the certificate? Is the certificate signed by an authority the clients are configured to trust? If there are any needed intermediate certificates, is the server sending them to the clients? If you're sure it's supposed to work, and it's not, you need to troubleshoot. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]