Title: Got a minute? Openssl/Windows 2000 CA interop
Beware
MS is less forgiving than the openssl and the file must contain only one
--CERTIFICATE-- section with no other text...
If
need be edit the files. Check my HOWTO on how to sign certificates request
issued by key manager.
Check
your files.
Franck
MartinNetwork and Database
Development OfficerSOPAC South Pacific
Applied Geoscience CommissionFijiE-mail: [EMAIL PROTECTED]Web site: http://www.sopac.org/Support FMaps: http://fmaps.sourceforge.net/
This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views
expressed in this e-mail may not be necessarily the views of SOPAC.
-Original Message-From: Liam Helmer - Lists
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, 20 November 2001 2:03
To: '[EMAIL PROTECTED]'Subject: Got a minute?
Openssl/Windows 2000 CA interop
I looked all around the net, and the one document I found
http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt (or
the openssl.txt)
That talks about unsupported subjectAltName tags.
So, following those instructions, I've included the cert
request, and certnew,cer, the binary encoded certificate. Anyone have
suggestions for this here?
In text format, here's the problem I'm getting. I'm generating
a certificate request using openssl with a subjectAltName. I'm doing it as
follows:
subjectAltName
= FQDN for ipsec ID subjectAltName_min
= 7 subjectAltName_max
= 256 subjectAltName_default
= dnsName:fqdn.of.the.server
This lets me enter in the DNS name of the server for use with
FreeS/WAN ipsec (www.freeswan.org) with x509 certificates (http://www.strongsec.com/freeswan/, and specifically http://www.strongsec.com/freeswan/install.htm#section_7.2)
My organization is big on Microsoft... so I'm attempting to
use the M$ certificate services to issue the certs. So, I send the request
below, which contains the correct subjectAltName extension:
Attributes:
X509v3 Subject Alternative Name:dnsName:van-test-firewall.van.voyus.com
(Incidentally, I also tried using
DNS:van-test-firewall.van.voyus.com, which got the same results. AFAICT, DNS:
is an alias for dnsName:, so I tried that instead on this round).
Then, I get the cert request approved using the windows 2000
ca, and it comes back like this:
X509v3 Subject Alternative Name:
othername:unsupported
Now... I'm greatly familiar with interoperability problems
using M$ products, but, I was curious if anyone knew of anything I can do to
make this work. I'm also going to contact MS about this one... I can find no
information about this on their support site of course.
I'm using openssl-0.96a.
Thanks in advance! Liam