Re: Why does my browser give a warning about a mismatched hostname
How can I add both IP address and DNS name? In my ip.ext file i have: subjectAltName=IP:10.6.73.72 subjectAltName=DNS:server.infr I signed request with openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem I received certificate with only additional DNS name What should I do to have both DNS and IP? michu162 wrote: I've solved this problem. I created file ip.ext with: subjectAltName=IP:10.5.19.191 To sign certificate I used: openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem Everything works well! Thanks Jakob Bohm-7 wrote: Depending on the CA you use, you may be able to issue a certificate with CN=some-ILO-name,OU=... AND SubjectAlternativeName: IP:1.2.3.4 If the ILO configuration accepts that cert, then there is a good chance you browser would accept the cert for both https://some-ILO-name/; and https://1.2.3.4/; On 24-07-2010 16:19, michu162 wrote: So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me
Re: Why does my browser give a warning about a mismatched hostname
Solution: subjectAltName=IP:10.6.73.72,DNS:server.infr michu162 wrote: How can I add both IP address and DNS name? In my ip.ext file i have: subjectAltName=IP:10.6.73.72 subjectAltName=DNS:server.infr I signed request with openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem I received certificate with only additional DNS name What should I do to have both DNS and IP? michu162 wrote: I've solved this problem. I created file ip.ext with: subjectAltName=IP:10.5.19.191 To sign certificate I used: openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem Everything works well! Thanks Jakob Bohm-7 wrote: Depending on the CA you use, you may be able to issue a certificate with CN=some-ILO-name,OU=... AND SubjectAlternativeName: IP:1.2.3.4 If the ILO configuration accepts that cert, then there is a good chance you browser would accept the cert for both https://some-ILO-name/; and https://1.2.3.4/; On 24-07-2010 16:19, michu162 wrote: So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE
Re: Why does my browser give a warning about a mismatched hostname
I've solved this problem. I created file ip.ext with: subjectAltName=IP:10.5.19.191 To sign certificate I used: openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem Everything works well! Thanks Jakob Bohm-7 wrote: Depending on the CA you use, you may be able to issue a certificate with CN=some-ILO-name,OU=... AND SubjectAlternativeName: IP:1.2.3.4 If the ILO configuration accepts that cert, then there is a good chance you browser would accept the cert for both https://some-ILO-name/; and https://1.2.3.4/; On 24-07-2010 16:19, michu162 wrote: So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Why-does-my-browser-give-a-warning-about
Re: Why does my browser give a warning about a mismatched hostname
So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? -- View this message in context: http://old.nabble.com/Why-does-my-browser-give-a-warning-about-a-mismatched-hostname-tp29237337p29255142.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why does my browser give a warning about a mismatched hostname
I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? -- View this message in context: http://old.nabble.com/Why-does-my-browser-give-a-warning-about-a-mismatched-hostname-tp29237337p29237337.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
