Re: [openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?
Alexandre Arantes wrote: one of them asked me why did I choose not to add the client hostname to the Client Certificate, thus making it usable only by that specific client. There are no standardized naming rules for client certs like the TLS server hostname check implemented at the client side. You have to define and implement your own naming/mapping rules at the server side. And so I started searching online for ways to do it, but found nothing. No wonder because there's no standard way. Several possibilites for client cert names: - subject DN - issuer-DN + serial no. - cert fingerprint - Any naming convention stuffed into subjectAltName extension Some inspiration in various server software: FakeBasicAuth in Apache's mod_ssl: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions Certificate Mappers in OpenDJ: http://docs.forgerock.org/en/opendj/2.6.0/configref/certificate-mapper.html Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?
Hello, I recently implemented a secured communication between two sites in which one acts as the server and the other as the client. To accomplish this, I used openssl to generate self-signed CA, Server and Client certificates (the calls are made using cURL). It all works beautifully and, testing my proof-of-concept has shown that if one of the pieces is missing from the equation (CA, Server, Client certificates), the communication ceases. But once I showed my work to people in my company, one of them asked me why did I choose not to add the client hostname to the Client Certificate, thus making it usable only by that specific client. And so I started searching online for ways to do it, but found nothing. I also looked into the openssl site and documentation and found nothing there either. The truth is that I don't even know if this is possible or even if this is the right question to ask. But can it be done? And if so, could you show me how, or where should I go to get more information on how to accomplish this? If you need more information on how I setup this communication, please let me know and I will be glad to share it here. Thanks,Alex ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?
But once I showed my work to people in my company, one of them asked me why did I choose not to add the client hostname to the Client Certificate, thus making it usable only by that specific client. You put to put the client name or ipaddr in the subjectAltName extension field. Then you'd have to put code on your server to verify that. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users