RE: Please Help: Certificate Validation using subjectAltName extension
Thanks Dave for explanation. One doubt regarding sentence If a subjectAltName extension of type dNSName is present, that MUST be used as the identity(RFC 2818) What does this line means ? Does it says if a certificate have different CN in issuer subject field but SubAltname: x.x.x.x which matches with HOST.URL (server) then will handshake goes through ? i.e. [ certificate_extensions ] basicConstraints = CA:false subjectAltName = DNS:x.x.x.x DNS:localhost [ req_distinguished_name ] countryName= US stateOrProvinceName= Chems localityName = Washington organizationName = Sercomm commonName = Verisign [ req_extensions ] basicConstraints = CA:true subjectAltName = DNS:x.x.x.x,DNS:localhost Am i correct ? Please help. Best Regards, S S rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p33873612.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help: Certificate Validation using subjectAltName extension
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Saturday, 03 December, 2011 02:56 My TLS client can validate both CN and SN i need to test both the scenario. I don't know how to create certificate with subjectAltName extension using openssl commands. In the RFC-2818 , there are two ways of Certificate Validation for Host name 1)CN (Common Name) 2)SN( Subject Name) 1. Common Name part of subject name which is the value of Subject. 2. Subject *Alternative* Name which is an extension. If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. As this says, although a bit tersely. I created Self-signed certificate using open-ssl commands and my certificate chain looks like below where CN=10.204.4.69 openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Please tell how to create certificate with subjectAltName extension using openssl commands ? The same way(s) you create a cert with any extension(s). See man req; man x509; man ca; man x509v3_config In x509 -req supply -extfile with the name of a config file, and -extsect with the name of a section in that file unless it is default or pointed to by default.extensions, specifying the extension(s) you want. You want something like subjectAltName=DNS:my.host.example For selfsigned you can save a step (or two) with req -x509 (and -newkey) in which case use -extensions or req.x509_extensions . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Help: Certificate Validation using subjectAltName extension
Dear All, My TLS client can validate both CN and SN i need to test both the scenario. I don't know how to create certificate with “subjectAltName extension” using openssl commands. In the RFC-2818 , there are two ways of Certificate Validation for Host name 1) CN (Common Name) 2) SN( Subject Name) If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. I created Self-signed certificate using open-ssl commands and my certificate chain looks like below where CN=10.204.4.69 openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt My Certificate chain === 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Home Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com i:/C=IN/ST=Karnataka/L=Bangalore/O=Home Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com Please tell how to create certificate with “subjectAltName extension” using openssl commands ? Thanks in advance. Regards, Rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p32906983.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org