Hi
I am using various version of openssl-0.9.x (including
openssl-0.9.8k-1.fc11.i686 on my linux machine altho the cusotmized
openssl.cnf file is probably inherited from a slightly earlier version.)
When I create a certificate signing request with openssl, I have an option
to specify an Subject Alternative Name (SAN.) The request file (csr) as
well as the resulting certificate includes the SAN as a value in the in the
subject field.
Subject: C=US, ST=xxxxx, L=xxxxx, O=xxxxx, OU=IT,
CN=server1.company.com/subjectAltName=server2.company.com/emailAddress=xxxxx
@company.com
With MS Exchange2007, you can use a command from the powershell to generate
a certificate request, which includes optional DNS servers. The csr is
still signed with OpenSSL (I have one openssl machine designated as the
primary CA.) As you can see, the resulting certificate has a separate
Subject Alternative Name field.
Subject: C=US, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=server1.company.com
X509v3 Subject Alternative Name:
DNS:server1.company.comm, DNS:server2.company.com
I need to use a SAN with my Exchange server certificate since the same
certificate is used for several related services, on the same IP address,
but different host names are used to make client access simpler (e.g.
"mail.company.com" for e-mail clients and "webmail.company.com" for those
accessing web-based mail.)
I am not sure which certificate format is the correct one. And it would be
much easier to use openssl instead of the exchange power shell.
(Most things in Microsoft can be done via the the GUI, but a few "advanced"
certificate functions require the exchange power shell.)
Thanks
