On Wednesday 04 Jan 2012 13:40:12 you wrote: > On Wed, Jan 4, 2012 at 1:57 PM, Mick <michaelkintz...@gmail.com> wrote: > > On Wednesday 04 Jan 2012 12:33:06 you wrote: > >> Hi, > >> > >> I have some firewalls that puts an subjectAltName X509v3 attribute > >> into the CSR, but when I sign them with my openssl CA, it just throws > >> that attribute away. VPN clients later requires the subjectAltName to > >> match the host it connects to, hence it must be present. > > > > Theoretically at least the VPN client would search the Subject: string > > for a Distinguished Name. > > If it can't find it there it will look at the subjAltName which as you > > say is not always available in a certificate. > > Yeah, in theory, but in practise the Android/VPN/Racoon client in this > case requires subjAltName to work...
Hmm ... interesting. Do you know what the client or router expects to find in there? I mean, what type of subjAltName string will it work happily with? IP:XXX.XXX.X.XX, DNS:example.com, email:acco...@example.com or even /C=US/L=some_state/O=my_company/CN=VPN_user I have been having similar problems here with a router which will not return a DN (or subjAltName) from its certificate to any VPN clients trying to connect to it. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.