Re: [openssl-users] Wildcard: how are they correct?
Actually, for public CAs, the current standard (the CAB/F Basic Requirements) require (a), (b) or (c), and prohibit (d). The prohibition on (d) is stated indirectly as a prohibition against putting something that isn't the subjects validated public DNS name in CN. In practice, most public CAs use (a) for maximum backward compatibility. It should also be noted that it is a lot less than 20 years since the popular GNU wget utility started looking at subjectAltName. Lesser known tools may have been even slower to implement it. On 10/10/2018 08:54, Kyle Hamilton wrote: If subjectAltName exists, CN= is not evaluated. All the given examples should work. (The only exceptions are validators that haven't been current for more than 20 years.) None of the examples is correct. CN= should not even be included in the certificate. If it is, (d) is the closest to correct, if "hello world" is replaced by something meaningful to the identification or naming of the subject. -Kyle H On Tue, Oct 9, 2018 at 11:18 PM Walter H. wrote: Hello, which of these possibilities is the correct one? (a) CN=*.example.com and subjectAltName = DNS:*.example.com, DNS:example.com (b) CN=example.com and subjectAltName = DNS:example.com, DNS:*.example.com (c) CN=example.com and subjectAltName = DNS:*.example.com, DNS:example.com (d) CN=hello world and subjectAltName = DNS:example.com, DNS:*.example.com Thanks, Walter -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
nothing don't need to happen to the kid and I can't pick any one so I just come out side On Wed, Oct 10, 2018, 3:14 AM Dustin Albright wrote: > I come out side on fruit porch the kid and dad's in side like I said I > can't pick I'd how I ended up doing this but I'm here on the porch u diseve > the respece > > On Wed, Oct 10, 2018, 3:02 AM Dustin Albright > wrote: > >> this really wasn't my intention on all this not really sure how I don't >> it eat her >> >> On Wed, Oct 10, 2018, 2:18 AM Walter H. >> wrote: >> >>> Hello, >>> >>> which of these possibilities is the correct one? >>> >>> (a) CN=*.example.com >>> and subjectAltName = DNS:*.example.com, DNS:example.com >>> >>> (b) CN=example.com >>> and subjectAltName = DNS:example.com, DNS:*.example.com >>> >>> (c) CN=example.com >>> and subjectAltName = DNS:*.example.com, DNS:example.com >>> >>> (d) CN=hello world >>> and subjectAltName = DNS:example.com, DNS:*.example.com >>> >>> Thanks, >>> Walter >>> >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>> >> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
I come out side on fruit porch the kid and dad's in side like I said I can't pick I'd how I ended up doing this but I'm here on the porch u diseve the respece On Wed, Oct 10, 2018, 3:02 AM Dustin Albright wrote: > this really wasn't my intention on all this not really sure how I don't > it eat her > > On Wed, Oct 10, 2018, 2:18 AM Walter H. > wrote: > >> Hello, >> >> which of these possibilities is the correct one? >> >> (a) CN=*.example.com >> and subjectAltName = DNS:*.example.com, DNS:example.com >> >> (b) CN=example.com >> and subjectAltName = DNS:example.com, DNS:*.example.com >> >> (c) CN=example.com >> and subjectAltName = DNS:*.example.com, DNS:example.com >> >> (d) CN=hello world >> and subjectAltName = DNS:example.com, DNS:*.example.com >> >> Thanks, >> Walter >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
this really wasn't my intention on all this not really sure how I don't it eat her On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
if u would like to talk I will come talk with u because u divers the respect On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
I'm Dustin Albright I see what u r say thing there two listed so that's old man in back and me inn liven room with Lil Lil man On Wed, Oct 10, 2018, 2:55 AM Kyle Hamilton wrote: > If subjectAltName exists, CN= is not evaluated. All the given > examples should work. (The only exceptions are validators that > haven't been current for more than 20 years.) None of the examples is > correct. CN= should not even be included in the certificate. If it > is, (d) is the closest to correct, if "hello world" is replaced by > something meaningful to the identification or naming of the subject. > > -Kyle H > On Tue, Oct 9, 2018 at 11:18 PM Walter H. > wrote: > > > > Hello, > > > > which of these possibilities is the correct one? > > > > (a) CN=*.example.com > > and subjectAltName = DNS:*.example.com, DNS:example.com > > > > (b) CN=example.com > > and subjectAltName = DNS:example.com, DNS:*.example.com > > > > (c) CN=example.com > > and subjectAltName = DNS:*.example.com, DNS:example.com > > > > (d) CN=hello world > > and subjectAltName = DNS:example.com, DNS:*.example.com > > > > Thanks, > > Walter > > > > -- > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
If subjectAltName exists, CN= is not evaluated. All the given examples should work. (The only exceptions are validators that haven't been current for more than 20 years.) None of the examples is correct. CN= should not even be included in the certificate. If it is, (d) is the closest to correct, if "hello world" is replaced by something meaningful to the identification or naming of the subject. -Kyle H On Tue, Oct 9, 2018 at 11:18 PM Walter H. wrote: > > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
I'm 25 Lil 18 old man in back the man in the back I'm not Goin to fight u I know I have to give my phone to u and are willing to so the rest is up to u and watch u diside On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
I can pick any one of my own family old man's in the back me Lil man and girl in liven room On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
so the way I'm take this it's pick and chose who walks right On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
may we talk On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wildcard: how are they correct?
On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Wildcard: how are they correct?
Hello, which of these possibilities is the correct one? (a) CN=*.example.com and subjectAltName = DNS:*.example.com, DNS:example.com (b) CN=example.com and subjectAltName = DNS:example.com, DNS:*.example.com (c) CN=example.com and subjectAltName = DNS:*.example.com, DNS:example.com (d) CN=hello world and subjectAltName = DNS:example.com, DNS:*.example.com Thanks, Walter -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users