Re: Subject Alternate Names (SANS)

Mon, 10 Dec 2012 09:19:54 -0800 

On 12/10/2012 2:43 PM, Jaquez Jr, Hector L. wrote:

Hello All,
        I am having an issue trying to get my server read the SAN entries

> that I have configured in my cnf file.  I created a .CSR file (2048) and
> had our PKI folks generate the certificate (.p7b) so that I could import
> it into my application.  The application accepts the certificate and the
> corresponding private key.  However, when I connect to the application
> using the FQDN I get a certificate error but when I use just the hostname
> it works fine. During the creation of the CSR file I assigned the common
> name as just the hostname.  I recreated the CSR file setting the common
> name as the FQDN and when I tried accesing the application with the host
> name I received a certificate error.  However, when I tried accessing the
> application with the FQDN it worked fine.  It's as though the certificate
> is not applying the SANS I configured in the .cnf file. I researched many > forums to try to identify what I am missing but I just can't seem to figure > it out so I am turning to this group. See below for configs that I set in 
> .cnf file. I am not sure if I need to run a specific Openssl command to
> insert this in the certificate. I have done this once before and the SANS 
> were read perfectly fine so I am not sure what could be the issue.
>  Please help....






Use the following command to check if the certificate you got back from 
the PKI folks actually contains the SANs you wanted:


openssl pkcs7 -in yourcert.p7b -noout -print_certs -text


(A CA is not required to obey any of the requested attributes listed in 
the CSR, any by default most CA software will put in only its usual 
attributes unless explicitly told otherwise by the PKI folks).



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to