you know bruno - i had to look up what the heck unstructured subject name was. i couldn't find much after my first pass, but it appears that it's just another text field you can use to fill in subject name stuff into, should your box have multiple hostnames or something like that. i would assume that "unstructured" means it does not follow PKI standards and contain location-specific things like CN=,OU=,L=, etc. since i've done my fair share of SSL installs and never seen it, i'm assuming it's a lesser-used special case for a specific product or CA type.
i DO know alternate subject name though - that's an alternative name you can embed in certificates for verification purposes. it is very useful in load-balanced and clustered configurations where multiple physical devices could answer for the same logical DNS name. think what you'd have to do to have a DR headend that responds to sslvpn.ipexpert.com, regardless of whether the box is a primary in a west coast data center, versus backup in an east coast data center. so in short, probably just stick to subject-name and popular values like CN or OU :). next best guess for a PKI deployment IMHO would be issuer subject name CN value. and last choice would be subject alternative name (alt-subject-name). i'm quite certain if they want you to use something goofy like unstructured subject name, they will spell it out and it will be an easy question mark away inside the trustpoint config :) . hope this helps, andrew On Fri, Mar 4, 2011 at 5:40 AM, Bruno <[email protected]> wrote: > Any idea what is the difference between unstructured-subject-name and > alt-subject-name when matching certificates? > > I lab it here and use unstructured, alt and subject to match. All were > fine. > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
