Got a minute? Openssl/Windows 2000 CA interop

2001-11-19 Thread Liam Helmer - Lists 
Title: Got a minute? Openssl/Windows 2000 CA interop





I looked all around the net, and the one document I found 


http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt (or the openssl.txt)


That talks about unsupported subjectAltName tags.


So, following those instructions, I've included the cert request, and certnew,cer, the binary encoded certificate. Anyone have suggestions for this here?

In text format, here's the problem I'm getting. I'm generating a certificate request using openssl with a subjectAltName. I'm doing it as follows:

subjectAltName = FQDN for ipsec ID
subjectAltName_min = 7
subjectAltName_max = 256
subjectAltName_default = dnsName:fqdn.of.the.server


This lets me enter in the DNS name of the server for use with FreeS/WAN ipsec (www.freeswan.org) with x509 certificates (http://www.strongsec.com/freeswan/, and specifically http://www.strongsec.com/freeswan/install.htm#section_7.2)

My organization is big on Microsoft... so I'm attempting to use the M$ certificate services to issue the certs. So, I send the request below, which contains the correct subjectAltName extension:

 Attributes:
 X509v3 Subject Alternative Name:dnsName:van-test-firewall.van.voyus.com


(Incidentally, I also tried using DNS:van-test-firewall.van.voyus.com, which got the same results. AFAICT, DNS: is an alias for dnsName:, so I tried that instead on this round).

Then, I get the cert request approved using the windows 2000 ca, and it comes back like this:


 X509v3 Subject Alternative Name:
 othername:unsupported


Now... I'm greatly familiar with interoperability problems using M$ products, but, I was curious if anyone knew of anything I can do to make this work. I'm also going to contact MS about this one... I can find no information about this on their support site of course.

I'm using openssl-0.96a.


Thanks in advance!
Liam







localhost.localdomain-certrequest-ntformat-19-11-01.cer
Description: Binary data


certnew.cer
Description: Binary data

RE: Got a minute? Openssl/Windows 2000 CA interop

2001-11-19 Thread Franck Martin 
Title: Got a minute? Openssl/Windows 2000 CA interop



Beware 
MS is less forgiving than the openssl and the file must contain only one 
--CERTIFICATE-- section with no other text...

If 
need be edit the files. Check my HOWTO on how to sign certificates request 
issued by key manager.

Check 
your files.

Franck 
MartinNetwork and Database 
Development OfficerSOPAC South Pacific 
Applied Geoscience CommissionFijiE-mail: [EMAIL PROTECTED]Web site: http://www.sopac.org/Support FMaps: http://fmaps.sourceforge.net/
This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views 
expressed in this e-mail may not be necessarily the views of SOPAC.

  -Original Message-From: Liam Helmer - Lists 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, 20 November 2001 2:03 
  To: '[EMAIL PROTECTED]'Subject: Got a minute? 
  Openssl/Windows 2000 CA interop
  I looked all around the net, and the one document I found 
  
  http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt (or 
  the openssl.txt) 
  That talks about unsupported subjectAltName tags. 
  So, following those instructions, I've included the cert 
  request, and certnew,cer, the binary encoded certificate. Anyone have 
  suggestions for this here?
  In text format, here's the problem I'm getting. I'm generating 
  a certificate request using openssl with a subjectAltName. I'm doing it as 
  follows:
  subjectAltName 
  = FQDN for ipsec ID subjectAltName_min 
  = 7 subjectAltName_max 
  = 256 subjectAltName_default 
  = dnsName:fqdn.of.the.server 
  This lets me enter in the DNS name of the server for use with 
  FreeS/WAN ipsec (www.freeswan.org) with x509 certificates (http://www.strongsec.com/freeswan/, and specifically http://www.strongsec.com/freeswan/install.htm#section_7.2)
  My organization is big on Microsoft... so I'm attempting to 
  use the M$ certificate services to issue the certs. So, I send the request 
  below, which contains the correct subjectAltName extension:
   Attributes: 
   
  X509v3 Subject Alternative Name:dnsName:van-test-firewall.van.voyus.com 
  
  (Incidentally, I also tried using 
  DNS:van-test-firewall.van.voyus.com, which got the same results. AFAICT, DNS: 
  is an alias for dnsName:, so I tried that instead on this round).
  Then, I get the cert request approved using the windows 2000 
  ca, and it comes back like this: 
   
  X509v3 Subject Alternative Name:  
  othername:unsupported 
  Now... I'm greatly familiar with interoperability problems 
  using M$ products, but, I was curious if anyone knew of anything I can do to 
  make this work. I'm also going to contact MS about this one... I can find no 
  information about this on their support site of course.
  I'm using openssl-0.96a. 
  Thanks in advance! Liam