RE: Got a minute? Openssl/Windows 2000 CA interop

[Franck Martin]

Title: Got a minute? Openssl/Windows 2000 CA interop

Beware MS is less forgiving than the openssl and the file must contain only one --CERTIFICATE-- section with no other text...

 

If need be edit the files. Check my HOWTO on how to sign certificates request issued by key manager.

 

Check your files.

 

Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: [EMAIL PROTECTED]
Web site: http://www.sopac.org/
Support FMaps: http://fmaps.sourceforge.net/

This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC.

-----Original Message-----
From: Liam Helmer - Lists [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 20 November 2001 2:03
To: '[EMAIL PROTECTED]'
Subject: Got a minute? Openssl/Windows 2000 CA interop

I looked all around the net, and the one document I found

http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt (or the openssl.txt)

That talks about unsupported subjectAltName tags.

So, following those instructions, I've included the cert request, and certnew,cer, the binary encoded certificate. Anyone have suggestions for this here?

In text format, here's the problem I'm getting. I'm generating a certificate request using openssl with a subjectAltName. I'm doing it as follows:

subjectAltName                  = FQDN for ipsec ID
subjectAltName_min              = 7
subjectAltName_max              = 256
subjectAltName_default          = dnsName:fqdn.of.the.server

This lets me enter in the DNS name of the server for use with FreeS/WAN ipsec (www.freeswan.org) with x509 certificates (http://www.strongsec.com/freeswan/, and specifically http://www.strongsec.com/freeswan/install.htm#section_7.2)

My organization is big on Microsoft... so I'm attempting to use the M$ certificate services to issue the certs. So, I send the request below, which contains the correct subjectAltName extension:

        Attributes:
            X509v3 Subject Alternative Name:dnsName:van-test-firewall.van.voyus.com

(Incidentally, I also tried using DNS:van-test-firewall.van.voyus.com, which got the same results. AFAICT, DNS: is an alias for dnsName:, so I tried that instead on this round).

Then, I get the cert request approved using the windows 2000 ca, and it comes back like this:

            X509v3 Subject Alternative Name:
                othername:<unsupported>

Now... I'm greatly familiar with interoperability problems using M$ products, but, I was curious if anyone knew of anything I can do to make this work. I'm also going to contact MS about this one... I can find no information about this on their support site of course.

I'm using openssl-0.96a.

Thanks in advance!
Liam