Jean-Marc Desperrier wrote:
Are you sure this is really the one on-line currently ? I still see the old one. If you use the standard openssl script, it will reject any extension in the certificat request, and only put in the cert extension that comes from the CA configuration. Yes, it makes it hard to put the adequate alternative name for server certificates when you don't issue the cert by hand. Openssl ca tool is not a CA, it's a toy, it's author would be the first to confirm that.
I actually forgot to restart apache (oops) but after I did it does validate, but then I get a misleading error message...
the common name on the certificate is: *.cacert.org the subjectAltName is: cacert.org
firefox appears to exhibit the correct behaviour, ignoring the CN when the site redirects https://cacert.org -> https://www.cacert.org but then throws up an error message:
"You have attempted to establish a connection with "www.cacert.org". However, the security certificate presented belongs to "*.cacert.org". It is possible, though unlikely, that someone may be trying to intercept your communication with this website."
I think someone else pointed it out before, that the SAN isn't used/displayed anywhere most of the time... From memory, only having SANs in the certificate, if there is an error message, the issued for quotes will be blank...
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"I do not try to dance better than anyone else.
I only try to dance better than myself."
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
