Depending on the CA you use, you may be able to issue a certificate with
CN=some-ILO-name,OU=...
AND
SubjectAlternativeName: IP:1.2.3.4
If the ILO configuration accepts that cert, then there is a good chance
you browser would accept the cert for both "https://some-ILO-name/"; and
"https://1.2.3.4/";
On 24-07-2010 16:19, michu162 wrote:
So what i should do to avoid warnings?
CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is
automatically generated by device. I can't upload other certificate (with
other CN) because i got alert that certificate doesn't match the request.
Is possible to access device via IP without warnings?
michu162 wrote:
I generated the ssl request, I signed it in my CA (openssl) and uploaded
signed certificate back to device.
I generated also ca.der and uploaded it to my Internet browser. When I
trying open ilo my browser give a warning about a mismatched hostname.
I'm accessing this device via IP address.
I don't want add this addresses to my DNS.
In certificate request was:
CN = some-iLO-2-Subsystem-Name
OU = ISS
O = Hewlett-Packard Development Company
ST = Texas
C = US
In my CA certificate, witch I used to sign the request I've got:
CN = in...@mycompany.com
C = US
ST = MyState
L = myCity
E = in...@mycompany.com
OU = Infrastructure
O = MyCompany SP zoo
What should I do to connect to ilo without any warnings?
To create my own CA i used:
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out
cacert.pem -days 3650 -config ./openssl.cnf
To sign my certificate request i used:
openssl ca -notext -in /etc/ssl/req.txt> /etc/ssl/ilocert.pem
My OpenSSL configuration file:
#
# Establish working directory.
dir = /etc/ssl
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department,
division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
Can anyone help me?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
