No easy to play with CAroot and extensions.
I had to add the option
copy_extensions = copy
to [ CA_default ] to force the certificate generation to include
extensions from the
the certificate request.
And yes, after importing the CA, the browsers dont complains anymore
when the server
certificate change.
Thanks for helping
Alain
On 6/17/07, Alain Spineux <[EMAIL PROTECTED]> wrote:
Thanks to ALL, I used all of your this to found my way
I finally got what I wanted using the configuration bellow, using
multiple subjectAltName.
I works with IE 6 and 7, Firefox 1.5, 2.0, AND Thunderbird and Outlook
Express using imap and SMTP (TLS ans SSL).
Then every time I update my DNS, adding a new domain I have to update
my certificate.
BUT then clients have to trust this new certificate ... this is annoying !
I will try using a CA root if I can avoid this disagreement.
Maybe you already know the answer ? :-)
Here is the command I used to genereate the working certificate,
# /openssl req -new -x509 -outform PEM -keyform PEM -nodes \
-days 3650 -out cert.pem -keyout key.pem \
-config tmp.req.cnf
and here is the config I used
[ req ]
distinguished_name = req_distinguished_name
default_bits = 1024
prompt = no
x509_extensions = v3_req
string_mask = nombstr
[ req_distinguished_name ]
CN = *.foobar.com
[ v3_req ]
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[ alt_names ]
DNS.1=alpha.loc.customer.example.com
DNS.2=beta.loc.customer.example.com
DNS.3=gamma.loc.customer.example.com
Here are interesting link I used as reference.
The openssl-user thread named "Wildcard ssl certificate using subjectAltName"
that showed me the way, with the useful sample by Victor Duchovni
http://www.nabble.com/Wildcard-ssl-certificate-using-subjectAltName-t1103260.html
the link http://wiki.cacert.org/wiki/VhostTaskForce
contains explore way, but retain only the one using multiple subjectAltName
found in http://wiki.cacert.org/wiki/VhostsApache?action=show :
The CommonName is ignored if you have any SubjectAltName's so the best
thing to do it to repeat the CommonName as a SubjectAltName.
On 6/16/07, Goetz Babin-Ebell <[EMAIL PROTECTED]> wrote:
> --On Juni 16, 2007 13:25:33 +0200 Alain Spineux <[EMAIL PROTECTED]> wrote:
>
> > Hello
> Hello Alain,
>
> > I would like to create a individual space for all my customers, using
> > their own domain name.
> >
> > For example
> >
> > debian.org -> debian.org.example.com
> > linux.org -> linux.org.example.com
> > uk.debian.org -> uk.debian.org.example.com
> >
> > I tried to create a wildcard certificate for example.com, but it only
> > works for foo.example.com
> > not for foo.bar.example.com
> >
> > That way, I can host the service on separate server, totally independent.
> > The only one that know them all is the DNS, that is the only one to
> > have a backup.
>
> You could stuff all host names in a subjectAltName extension...
> At least modern browsers should support it...
>
> Bye
>
> Goetz
>
> --
> DMCA: The greed of the few outweights the freedom of the many
>
>
--
--
Alain Spineux
aspineux gmail com
May the sources be with you
--
--
Alain Spineux
aspineux gmail com
May the sources be with you
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
