RE: SSL Wildcard Certificates

Ladd Angelius Wed, 28 Feb 2001 11:53:43 -0800
Look here:

http://support.microsoft.com/support/kb/articles/Q257/8/73.ASP

Win2K SP1 updates clients to accept wildcards ... however that means any
Win2K box *without* the update will still receive the error. So, I'm not
going with a wildcard just yet.

btw, the "*.gmoney.com" entry in my *DNS* file DOES allow me to resolve ALL
non-specified hostnames to a single IP. And you are right, this has nothing
*directly* to do with SSL ... but it was a very convenient way to test it
;-)


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of seph
Sent: Wednesday, February 28, 2001 9:33 AM
To: [EMAIL PROTECTED]
Subject: Re: SSL Wildcard Certificates


"Ladd Angelius" <[EMAIL PROTECTED]> writes:

> Does anyone know about a workaround/fix for the below problem? We'd
> like to use a wildcard certificate ...
>
> I tested the "wildcard" test-certificate offered by www.thawte.com
>
> The test:
> I control the DNS, so I put a "*.gmoney.com" entry in my DNS file,
> and ping tested multiple names, ie. hello.mydomain.com,
> xxxx.mydomain.com, etc. Everything resolves to a specific IP, which
> is a box running Linux RedHat7 with preconfigured SSL and Apache
> (comes already set up with RH7).

I don't understand this bit. I didn't think "*" was a valid character
in host names, and that's jus tnot how wildcard certs work.

> I generated a CSR with the command "make certreq", submitted it to
> www.thawte.com, receieved a CRT, copied the CRT to the file
> /etc/httpd/conf/ssl.crt/server.crt, and restarted apache.
>
> Findings:
>
> All clients connecting over SSL recieve the "non-trusted authority"
> error (this is normal for a "test" certificate).
>
> Win2K IE5 clients report "hostname does not match the certificate."
> Win2K NS4.7 only reports "non-trusted authority." No mention of
> hostname match or not.
> Win98 NS4.7 only reports "non-trusted authority." No mention of
> hostname match or not.
>
> Any and all suggestions/fixes/workarounds will be greatly appreciated.

windows 2000 does not support wildcard. microsoft disaproves of them
or some such silliness. thawte mentions it here:
http://www.thawte.com/support/server/wildcards.html. I expect you
could find something on microsoft's web pages if you looked...
this may or may not affect netscape.

if it reports a non-trusted authority it implies it's ca cert file is
confused. did you check it?

seph
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
RE: SSL Wildcard Certificates

Reply via email to
