Some additional info:
My openssl.cnf file includes the following ---------------------------------------------------------------------------- ----------------------------------------------------------- policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional subjectAltName = optional .. # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ].. subjectAltName = Subject Alternate Name subjectAltName_default = www.foo.com ---------------------------------------------------------------------------- ----------------------------------------------------------- Openssl is configured as a CA. I had added the entries for subjectAltName. I do get prompted for this when creating a certificate signing request (CSR.). When I submit a CSR created by MS Exchange shell, the policy can NOT include "subjectAltName = required"- So clearly MS Exchange is not using the same structure for this as openssl. I am pretty sure I have the correct syntax for subjectAltName in openssl.cnf. If I try adding a field in for "planet" it is just ignored. So it seams clear that openssl is treating "subjectAltName" as a valid entry. The default openssl.cnf included ---------------------------------------------------------------------------- ----------------------------------------------------------- [ usr_cert ] .. # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move .. ---------------------------------------------------------------------------- ----------------------------------------------------------- So it looks like openssl.cnf could optionally automatically copy the e-mail address to subjectAltName. -Thanks From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Saturday, September 18, 2010 5:08 PM To: openssl-users@openssl.org Subject: Confusion about subject alternative names Hi I am using various version of openssl-0.9.x (including openssl-0.9.8k-1.fc11.i686 on my linux machine altho the cusotmized openssl.cnf file is probably inherited from a slightly earlier version.) When I create a certificate signing request with openssl, I have an option to specify an Subject Alternative Name (SAN.) The request file (csr) as well as the resulting certificate includes the SAN as a value in the in the subject field. Subject: C=US, ST=xxxxx, L=xxxxx, O=xxxxx, OU=IT, CN=server1.company.com/subjectAltName=server2.company.com/emailAddress=xxxxx @company.com With MS Exchange2007, you can use a command from the powershell to generate a certificate request, which includes optional DNS servers. The csr is still signed with OpenSSL (I have one openssl machine designated as the primary CA.) As you can see, the resulting certificate has a separate Subject Alternative Name field. Subject: C=US, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=server1.company.com X509v3 Subject Alternative Name: DNS:server1.company.comm, DNS:server2.company.com I need to use a SAN with my Exchange server certificate since the same certificate is used for several related services, on the same IP address, but different host names are used to make client access simpler (e.g. "mail.company.com" for e-mail clients and "webmail.company.com" for those accessing web-based mail.) I am not sure which certificate format is the correct one. And it would be much easier to use openssl instead of the exchange power shell. (Most things in Microsoft can be done via the the GUI, but a few "advanced" certificate functions require the exchange power shell.) Thanks
