So I think you were right. I used a command to view the CSR that I generated with the following:
openssl req -new -nodes -subj "/CN=www.myserver.com" -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? Thanks On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson <dthomp...@prinpay.com>wrote: > >From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole > >Sent: Thursday, 11 October, 2012 19:03 > > >i have a server that is running a custom app that can accept > >a SSL connection. I generate a cert on each server, that is > >signed by my own CA. I tested whether this worked or not by > >using the openssl s_client and s_server commands, and it actually > >worked to connect to the server using those commands. I started > >the server with a PEM file that contained the signed cert request, > > Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR. > > >as well as the private key for that cert request. This allowed me > >to start the server with > > openssl s_server -accept 443 -cert myfile.cert > > Note that will support connection at the SSL level, but not give > an HTTP response unless you type it by hand (which is hard to do). > Add -www to support minimal requests from browsers. > > > and on the client side <snip: s_client okay> > > >I installed my_server_cert.pem as a trusted authority in firefox, > >however, it still prompts that it is an "Untrusted Connection" > >and has the button to add security exception. [which] says "Wrong Site" > >and "This iste attempts to identify itself iwth invalid information" > > Most SSL clients including Firefox, unlike s_client, check that the > name in the server cert matches the name of the server they want, > almost always as a domain name. The traditional and simple way is > the CommonName in the server cert's Subject field is the FQDN. > Most clients, I'd expect including Firefox but didn't take time to test, > also support (1-level) wildcard, or the SubjectAlternativeName extension > which can have multiple domain names or wildcards or some other options > that are rarely used. Public CAs often call this "multi-domain", or > "Unified Communications" which was Microsoft's jargon for it. > > If you're doing these certs yourself and can issue whatever you want > free anytime, I'd go with simple, but openssl ca (or x509 -req) > can do SAN if you set-up the config file(s). > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
