dNSName is a DNS name. It can be an IP, but I'm not sure about the encoding rules for it (SMTP requires an IP in the destination field to be in the form [192.168.1.1] (in square brackets), but I don't know about X.509v3; it could just be the IP without decoration.)
subjectAltName=dNSName: domain.com subjectAltName=dNSName: *.domain.com subjectAltName=dNSName: *.*.domain.com The binding isn't done via IP address (as DNS can be spoofed), but rather by proof of possession of secret key. -Kyle H On 2/10/06, Khai Doan <[EMAIL PROTECTED]> wrote: > To quote rfc 2818: > > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead. > > Can some give me an example? Am I doing this correctly: > > subjectAltName=dNSName:192.168.1.12 > > What is value for dNSName ? Is it supposed to be IP address? Is it > supposed to be www.domain.com ? > > I wish to create wild card certificates of the form *.domain.com and > *.*.domain.com that bind to a single IP address. Has anyone done this? > Does it work with Internet Explorer ? > > Thank you. > > Khai > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
