[EMAIL PROTECTED] wrote:
-----Original Message----- From: [EMAIL PROTECTED] [mailto:owner-openssl-Yep. But CA's typically put them in both anyway. On the other hand, if every site appears within the same domain (e.g. foo.domain.com, bar.domain.com, baz.domain.com), it might be better to get a domain cert that contains "*.domain.com".
Both domains are different since my internal net is managed by me alone (and it is neither permissible nor possible to run your own dns for the domain names assigned by the provider)...
I had the same problem here: My server has an different name if connected from the inside than connected from the outside (but this is goog for testing...) As long as you issue your own certificates it is trivial...
On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote:Joseph Oreste Bruni wrote:You can have as many commonNames as you want. That goes for subjectAltName fields too. I do that on an apache server (not using TLS) that needs to host more than one SSL site. Every browser I've used is okay with certs. that have multiple CN's.But he should use the subjectAltName extension. Using the CN is deprecated.
How do I define the subjectAltName, since I've tried it already but failed... What configuration directives are needed??
Which OpenSSL version do you use ? 0.9.8 should be best. (additiomally you could try my patch (Ticket 1050 / 1052) which gives you greater influence setting the entry...) An extract from my openssl.cnf: [...] [ ssl_cert ] # These extensions are added when 'ca' signs a request. [...] # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. subjectAltName=email:move,DNS:copy.commonName,DNS:shomitefo.dyndns.org [...] description: generate an subjectAltName extension containing 1. an generalName of type emailAddress containing the email address from the DN of the request (deleted from the DN) (if set) 2. an generalName of type dnsName containing a copy of the DN entry commonName of the request (if set) (this requires my patch in ticket 1050 / 1052) 3. an generalName of type dnsName containing my dyndns.org domain. Since you are not the first one I point to my patch I would like somebody from the core team to have a look at it and include it into the head... (nag, nag,,, :-) ) Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many
smime.p7s
Description: S/MIME Cryptographic Signature
