On Sat, Jan 24, 2009, Marco De Vitis wrote: > Hi, > running my own CA on a Debian Etch machine (openssl 0.9.8c) I need to > create a certificate for a private mailserver, which must be reachable both > using its hostname and its IP address. So the certificate needs to contain > both, to prevent warnings at the client side. The mail clients used will > be, among others, Outlook Express and Outlook 2007 (I cannot avoid this). > > I tried various solutions, to no avail. > > I first generated a certificate containing two Common Names, and it was ok > for Oulook Express, but not for Outlook, which shows a security warning > when using the second name. > > I then tried various subjectAltName configurations, but none of these seems > to be supported by either OE or Outlook, they both always show a security > warning for one of the names. Here are some configurations I tried: > > subjectAltName = IP:<IP address> > > subjectAltName = otherName:1.2.3.4;UTF8:<IP address> > > subjectAltName = dirName:dir_sect > [dir_sect] > C = IT > O = bla bla > OU = bla bla > CN = <IP address> > > subjectAltName = @alt_names > [alt_names] > IP.1 = <IP address> > > All other needed parameters in openssl.cnf are correctly in place, AFAICT, > because the subjectAltName values are correctly visible in the generated > certificate. > I can post the full openssl.cnf if needed. > > Any clues? > Thanks. >
You don't say which give a warning. If you use the IP version in subjectAltname do you get a warning for the hostname or the IP address? If the hostname but not IP address try adding a second value, DNS:whatever.com Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
