fqdn = fqdn error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL 0.9.7j on OpenBSD 4.0 1. Created a cert for host.domain1.tld (a mail server that houses multiple virtual domains, but its real hostname is host.domain1.tld) using the commands and config file listed below 2. Installed the root CA cert and server cert on the server 3. Installed the root CA cert in Thunderbird 2.0.0.4 on OS X 10.4.10 and set Thunderbird to trust it for everything 4. When starting Thunderbird, this message always appears: You have attempted to establish a connection with host.domain1.tld. However, the security certificate presented belongs to host.domain1.tld. It is possible, though unlikely, that someone may be trying to intercept your communication with this web site. Note that host.domain1.tld is exactly the same string in both cases, and again it's the canonical name of the mail server. What's wrong here? Thanks in advance for clues on troubleshooting this error. dn Command to generate cert on CA: openssl req -nodes -new -keyout private/host.domain1.tld.key \ -out csrs/host.domain1.tld.csr -extensions server \ -config ./openssl.cnf Command to generate cert: openssl ca -out certs/host.domain1.tld \ -in csrs/host.domain1.tld.csr -extensions server \ -config ./openssl.cnf openssl.cnf: [ ca ] default_ca = CA_default [ CA_default ] dir = . serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ CA_with_exts ] dir = . serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #-- -- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #-- -- 0.organizationName_default = Network Test Inc. localityName_default= Westlake Village stateOrProvinceName_default = California countryName_default = US organizationalUnitName_default = Engineering emailAddress_default= [EMAIL PROTECTED] [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... # # uncomment subjectAltName for multiple hosts # subjectAltName = @alt_names [alt_names] # # uncomment DNS names (changing as necessary) for multiple hosts # DNS.1 = imap.domain1.tld DNS.2 = mail.domain2.tld DNS.3 = mail.domain3.tld DNS.4 = mail.domain4.tld DNS.5 = mail.domain5.tld DNS.6 = mail.domain6.tld DNS.7 = mail.domain7.tld DNS.8 =
Re: subjectAltName setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/17/06 8:04 AM, Victor Duchovni wrote: On Sun, Dec 17, 2006 at 02:25:29PM +0100, Dr. Stephen Henson wrote: On Sat, Dec 16, 2006, David Newman wrote: For setup of a Postfix box that will serve multiple virtual domains, I would like to generate one cert for all hostnames at which this box will be able to be reached. Following an example in a post from Victor Duchovni [0], I configured the subjectAltName parameter in openssl.cnf with four hostnames and generated a cert. However, I still see only one CN in the resulting cert. You will only see one CN. CN and subjectAltName are two different things. The approved way to represent multiple host names is via subjectAltName which will appear in the extensions list when you display the certificate. If you need multiple CNs (which some software may require) then you need to prompt for multiple CNs. The OP meant multiple SubjectAlternativeName values in the signed certificate Correct. Sorry for the abuse of terminology. , the extensions are not by default copied into the signed certificate. The copy_extensions option described in http://www.openssl.org/docs/apps/ca.html is AFAIK the supported mechanism for importing SubjectAlternativeNames from the request into the certificate. - From previous posts my understanding was that for subjectAltName to work, openssl.cnf required: - - v3_req and alt_names sections - - req_extensions and x509_extensions statements in the [req] section - - subjectAltName statements in the policy section(s) The warnings in that URL above make me unsure where or how to apply copy_extensions as well. Here is a barebones config file. What else is needed to generate a cert for multiple hostnames? thanks dn [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional subjectAltName = optional [ req ] default_bits= 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #-- -- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #-- -- 0.organizationName_default = The Sample Company localityName_default= Metropolis stateOrProvinceName_default = New York countryName_default = US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectAltName = @alt_names [alt_names] DNS.1 = mail.freedonia.gov DNS.2 = mail.potrzebie.org DNS.3 = mail.furshlugginer.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFhZUryPxGVjntI4IRAhOrAKCdO7+kcPZJCUKn47kRml1OubRIiACfQ8h3 MXLzOXzlFOWtsy2ugU8Ih2A= =fAk/ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
Re: subjectAltName setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/17/06 11:28 AM, Victor Duchovni wrote: [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir= $dir/newcerts certs= $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match Add copy_extensions = copy above. Of course validate the extensions before you sign the request. Got it, thanks! For future reference, I've pasted the entire working openssl.cnf below. One last question: Generating a cert for multiple virtual hosts is only an occasional requirement. Generally this CA will generate certs for one CN and zero alternates. Through trial and error I found that I can leave the subjectAltName stuff in openssl.cnf, and just comment out the req_extensions = v3_ext statement in the req section. Is this valid, or am I losing some other needed functionality? thanks again dn [ ca ] default_ca = CA_default [ CA_default ] dir = . serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #-- -- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #-- -- 0.organizationName_default = The Sample Company localityName_default= Metropolis stateOrProvinceName_default = New York countryName_default = US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectAltName = @alt_names [alt_names] DNS.1 = mail.freedonia.gov DNS.2 = mail.potrzebie.org DNS.3 = mail.furshlugginer.org [ server ] # Make a cert with nsCertType set to server basicConstraints=CA:FALSE nsCertType = server nsComment = OpenSSL Generated Server Certificate subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ client ] # Make a cert with nsCertType set to client basicConstraints=CA:FALSE nsCertType = client nsComment = OpenSSL Generated Client Certificate subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD4DBQFFhfvWyPxGVjntI4IRAmYXAJUTtFXQpKkI+N6mzvuVhPdGcsWRAKCu5G7S kJUs02YmBL+/2ed9qpB5vw== =2LNV -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL
Re: subjectAltName setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/17/06 7:14 PM, Victor Duchovni wrote: On Sun, Dec 17, 2006 at 06:24:22PM -0800, David Newman wrote: One last question: Generating a cert for multiple virtual hosts is only an occasional requirement. Generally this CA will generate certs for one CN and zero alternates. In that case don't add copy_extensions = copy to CA_default and create a CA_with_exts that is like CA_default, but enables extension copying. Use an explicit -name CA_with_exts only when you need it. Through trial and error I found that I can leave the subjectAltName stuff in openssl.cnf, and just comment out the req_extensions = v3_ext statement in the req section. Is this valid, or am I losing some other needed functionality? If you always generate the certs yourself, you can suppress the alternative names either in the request, in the CA or perhaps in both. I am fond of building .cnf files on the fly and using them via -config. Hmmm. If I comment out only copy_extensions statement and generate a request, I still see the alternative names. However, the alternative names are gone if I comment out only req_extensions. This seems to contradict what you said above. But is it a valid config? thanks again dn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFhhiByPxGVjntI4IRAn1XAKC9Tiyl3ZO4I+hWJafpAJLn8eWVeQCghUvX CDAdHvqAglMUi5xKLxA6p1A= =jXYI -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
subjectAltName setup
For setup of a Postfix box that will serve multiple virtual domains, I would like to generate one cert for all hostnames at which this box will be able to be reached. Following an example in a post from Victor Duchovni [0], I configured the subjectAltName parameter in openssl.cnf with four hostnames and generated a cert. However, I still see only one CN in the resulting cert. I've pasted below the subjectAltName stuff from my openssl.cnf, and here are the commands I used to generate the cert: openssl req -new -nodes -keyout /root/CA/private/lance-cyrus.key \ -out csrs/lance-cyrus.csr -config ./openssl.cnf \ -extensions server openssl ca -out certs/lance-cyrus.pem \ -in csrs/lance-cyrus.csr -config ./openssl.cnf \ -extensions server But when I view the cert with this command I only see one CN: openssl x509 -in certs/lance-cyrus.pem -noout -text Thanks in advance for clues on getting subjectAltName working. dn [0] http://tinyurl.com/tqhhb from my openssl.cnf: [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectAltName = @alt_names [alt_names] DNS.1 = lance.eng.networktest.com DNS.2 = mail.freedonia.gov DNS.3 = mail.potrzebie.org DNS.4 = mail.furshlugginer.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]