Re: Multi-valued RDN in Subject Alternative Name extension
On Sat, 20 Jun 2020 at 10:21, Michael Ströder wrote: > > On 6/18/20 9:12 AM, Williams, Gareth wrote: > > I can successfully add a multi-value RDN to the Subject of a > > certificate request using the + format in the config file: > > [..] > > However, if I add a SAN to the request: > > [..] > > the resulting request has them as separate RDNs (as if the + is not > > noticed). > Probably not the answer you were expecting: > > In general multi-valued RDNs are a can of worms. Even if you solve this > particular step within OpenSSL you might run into many more issues with > other components using the certs. > > => I'd strongly recommend to avoid multi-valued RDNs. > > Sometimes people want to make the subject DN unique by adding attributes > to the RDN. But those attribute values would have to be unique in a > certain scope anyway to achieve that. C (country ISO code) does not look > like a good candiate for that. Or did you just use that as demo example? > Thanks for the response. I chose the country attribute simply as an example. I stumbled upon this while testing something else, so thought I’d ask the question. Your pragmatic answer is fine by me as I had no real use case – just a matter of curiosity. Thanks again, Gareth
Re: Multi-valued RDN in Subject Alternative Name extension
On 6/18/20 9:12 AM, Williams, Gareth wrote: > I can successfully add a multi-value RDN to the Subject of a > certificate request using the + format in the config file: > [..] > However, if I add a SAN to the request: > [..] > the resulting request has them as separate RDNs (as if the + is not > noticed). Probably not the answer you were expecting: In general multi-valued RDNs are a can of worms. Even if you solve this particular step within OpenSSL you might run into many more issues with other components using the certs. => I'd strongly recommend to avoid multi-valued RDNs. Sometimes people want to make the subject DN unique by adding attributes to the RDN. But those attribute values would have to be unique in a certain scope anyway to achieve that. C (country ISO code) does not look like a good candiate for that. Or did you just use that as demo example? Ciao, Michael.
Multi-valued RDN in Subject Alternative Name extension
I can successfully add a multi-value RDN to the Subject of a certificate request using the + format in the config file: distinguished_name = req_dn [ req_dn ] O=Acme CN=Bloggs +C=GB However, if I add a SAN to the request: subjectAltName = @alt_names [ alt_names ] DNS = www.example.com dirName = req_dn the resulting request has them as separate RDNs (as if the + is not noticed). That is, the resulting subject field is: O = Acme, C = GB + CN = Test While the resulting SAN extension is: DNS:www.example.com, DirName:/O=Acme/C=GB/CN=Test Should multi-value RDNs work in the SAN too? Kind regards, Gareth Williams
X509 Subject Alternative Name
Hi folks, I'm looking for openssl information on extracting a certificate's list of Subject Alternative names for matching a query substring to select a certificate in particular contexts. All the openssl sample code that I've managed to find seems to be more heavy-weight than I'm interested in using a GENERAL_NAMES and associated data structures to extract the names based on types (e.g. GEN_DNS, GEN_EMAIL, GEN_URI which I can't find details about) - I'm happy to use this but I can't find any documentation on it (which certainly hasn't stopped me before). But I thought I'd throw out a general query, is there any simple mechanism for simply extracting the string (or strings) which define the x509 Subject Alternative Names for simple string matching? Thanks ... N --- Nou Dadoun ndad...@teradici.com 604-628-1215 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject alternative name problem
Vinay Kumar L wrote: Hi all, I have to generate a KDC certificate containing Subject alternative name extension using openssl which includes the following details: ** The KDC's X.509 certificate MUST contain name of the realm for that KDC and the principal name of the KDC (defined in RFC 1510bis) as the SubjectAltName version 3 extension. Below is the definition of this version 3 extension, as specified by the X.509 standard: subjectAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-subjectAltName } GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, ... } OtherName ::= SEQUENCE { type-idOBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } For the purpose of specifying a Kerberos principal name, the value in OtherName MUST be a KerberosName, defined as follows: KerberosName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } This specific syntax is identified within subjectAltName by setting the type-id in OtherName to krb5PrincipalName, where (from the Kerberos specification) we have krb5 OBJECT IDENTIFIER ::= { iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) } krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } * Please suggest SAN details that must be included in openssl.cnf for generating KDC certificate containing above mentioned details as a part of Subject Alternative Extension in kdc certificate. I have generated KDC certificate by including following lines in openssl.cnf: # Add id-pkinit-san (pkinit subjectAlternativeName) subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt Is is enough to include the above lines in opensssl.cnf while generating kdc certificate to add Subject Alternative Extension which satisfies the requirements mentioned in the beginning? Please guide me. Regards, Vinay princ2 = GeneralString:${ENV::REALM}
Subject alternative name problem
Hi all, I have to generate a KDC certificate containing Subject alternative name extension using openssl which includes the following details: ** The KDC's X.509 certificate MUST contain name of the realm for that KDC and the principal name of the KDC (defined in RFC 1510bis) as the SubjectAltName version 3 extension. Below is the definition of this version 3 extension, as specified by the X.509 standard: subjectAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-subjectAltName } GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, ... } OtherName ::= SEQUENCE { type-idOBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } For the purpose of specifying a Kerberos principal name, the value in OtherName MUST be a KerberosName, defined as follows: KerberosName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } This specific syntax is identified within subjectAltName by setting the type-id in OtherName to krb5PrincipalName, where (from the Kerberos specification) we have krb5 OBJECT IDENTIFIER ::= { iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) } krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } * Please suggest SAN details that must be included in openssl.cnf for generating KDC certificate containing above mentioned details as a part of Subject Alternative Extension in kdc certificate. I have generated KDC certificate by including following lines in openssl.cnf: # Add id-pkinit-san (pkinit subjectAlternativeName) subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt Is is enough to include the above lines in opensssl.cnf while generating kdc certificate to add Subject Alternative Extension which satisfies the requirements mentioned in the beginning? Please guide me. Regards, Vinay princ2 = GeneralString:${ENV::REALM}
Re: Subject alternative name
You can use environment variables in the config file like extensions = x509v3 [ x509v3 ] subjectAltName = @subjectAltName keyUsage= critical,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = $ENV::CRLDP subjectKeyIdentifier = hash authorityKeyIdentifier = keyid [ subjectAltName ] DNS = $ENV::DNSNAME On 08/24/2010 07:47 AM, Gerald Iakobinyi-Pich wrote: Hello, I have managed to create a certificate containing different values for the "subject alternative name". But now I would like to be able to set this value (this alternative names) from the command line, when I invoke OpenSSL. Is there any possibility to do that? My target here is to avoid to have to modify the config file each time I have to generate a certificate with other alternative names. Thanks, Gerald __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Subject alternative name
Hello, I have managed to create a certificate containing different values for the "subject alternative name". But now I would like to be able to set this value (this alternative names) from the command line, when I invoke OpenSSL. Is there any possibility to do that? My target here is to avoid to have to modify the config file each time I have to generate a certificate with other alternative names. Thanks, Gerald __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
Hi! * Victor Duchovni wrote on Fri, Feb 12, 2010 at 15:03 -0500: > On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote: > > > (So DER encoding is used, and it is allowing 128 byte long > > length fields allowing 2^1024 [a number taking four and a half > > line in xterm because 309 decimal digits long] bytes long value > > fields sufficient to enumerate every atom in the visible > > universe an unbelievable huge number of times > > - but in the end for certificates limit of 16384 [5 digit > > number] is in effect :-)) > > SSL protocol engines need sensibly sized I/O buffer size limits. > The decision to limit SSL record lengths is reasonable. 16K > is a fine choice. And yes, 5000 altName entries in a certificate > is absurd. It may be the most expedient way to overcome design > implementations in the software you are forced to use, but the > SSL protocol is not obligated to support this use-case. Of course you are right; I guess the 5000 altName-case isn't a perfect solution (but maybe some workaround, who knows), however limits close to practical order of magnitude (I mean just 10 or 100 times more than needed) can turn out too limited during protocols lifetime, I think, such as the famous 640 KB. Maybe in future some governmental approved personal X.509 certificates have to include a passport photograpy of the owner in 640x480x24 PNG format? oki, Steffen About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote: > (So DER encoding is used, and it is allowing 128 byte long > length fields allowing 2^1024 [a number taking four and a half > line in xterm because 309 decimal digits long] bytes long value > fields sufficient to enumerate every atom in the visible > universe an unbelievable huge number of times > - but in the end for certificates limit of 16384 [5 digit > number] is in effect :-)) SSL protocol engines need sensibly sized I/O buffer size limits. The decision to limit SSL record lengths is reasonable. 16K is a fine choice. And yes, 5000 altName entries in a certificate is absurd. It may be the most expedient way to overcome design implementations in the software you are forced to use, but the SSL protocol is not obligated to support this use-case. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 14:20 -0500: > The limit is not (only?) an X.509 limit, rather the SSL/TLS > record layer cannot carry messages larger than 2^14 bytes (plus > some overhead for compression algorithms which provably need to > be able to make some records larger in order to make most > records smaller). Given that the server certificate message in > the SSL handshake needs to fit into a single record, the > SSL/TLS protocol constrains certificates to 2^14 (16K) bytes. oki, thank you for the clarification. (So DER encoding is used, and it is allowing 128 byte long length fields allowing 2^1024 [a number taking four and a half line in xterm because 309 decimal digits long] bytes long value fields sufficient to enumerate every atom in the visible universe an unbelievable huge number of times - but in the end for certificates limit of 16384 [5 digit number] is in effect :-)) oki, Steffen About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
On Fri, Feb 12, 2010 at 12:41:16PM +0100, Steffen DETTMER wrote: > * Victor Duchovni wrote: > > The SSL/TLS record layer has a maximum record size, a > > certificate probably needs to fit into one record, so if your > > 500+ domains generate a certificate that is larger than ~16K > > bytes, you may be out of luck. > > (I just ask for curiosity, not because I have any problem with that!) > Does this mean that OpenSSL has a compiled-in certificate size > limitation and to increase that it would be required to replace > the libs on the systems needing to support bigger certificates? The limit is not (only?) an X.509 limit, rather the SSL/TLS record layer cannot carry messages larger than 2^14 bytes (plus some overhead for compression algorithms which provably need to be able to make some records larger in order to make most records smaller). Given that the server certificate message in the SSL handshake needs to fit into a single record, the SSL/TLS protocol constrains certificates to 2^14 (16K) bytes. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
I believe it's an x.509v3 limitation and not specific to openssl. After getting Viktor's hint I did a little research and found that the limitation is set at 2^14. Ron Steffen DETTMER wrote: > > * Victor Duchovni wrote: >> The SSL/TLS record layer has a maximum record size, a >> certificate probably needs to fit into one record, so if your >> 500+ domains generate a certificate that is larger than ~16K >> bytes, you may be out of luck. > > (I just ask for curiosity, not because I have any problem with that!) > Does this mean that OpenSSL has a compiled-in certificate size > limitation and to increase that it would be required to replace > the libs on the systems needing to support bigger certificates? > > oki, > > Steffen > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --->8=== > > > > About Ingenico: Ingenico is a leading provider of payment solutions, with > over 15 million terminals deployed in more than 125 countries. Its 2,850 > employees worldwide support retailers, banks and service providers to > optimize and secure their electronic payments solutions, develop their > offer of services and increase their point of sales revenue. More > information on http://www.ingenico.com/. > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. > P Please consider the environment before printing this e-mail > > > __________ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Subject-Alternative-Name-Help-tp27539914p27565135.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
* Victor Duchovni wrote: > The SSL/TLS record layer has a maximum record size, a > certificate probably needs to fit into one record, so if your > 500+ domains generate a certificate that is larger than ~16K > bytes, you may be out of luck. (I just ask for curiosity, not because I have any problem with that!) Does this mean that OpenSSL has a compiled-in certificate size limitation and to increase that it would be required to replace the libs on the systems needing to support bigger certificates? oki, Steffen -- --->8=== About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
That was it. One @ 13k works and one @18k doesn't. Thanks Victor. Ron Victor Duchovni wrote: > > On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote: > >> >> I am using OpenSSL to create a self sign certificate and have a need to >> add >> approximately 4000, yes 4000, DNS entries (don't ask why) using Subject >> Alternative Name. I have succeeded in creating a certificate with 500 >> DNS >> entries and it works just fine with no noticeable latency accessing the >> web >> sites listed via the SAN in the certificate. However, I run into a >> problem >> when I create a certificate with more than 500 SAN entries. OpenSSL >> creates >> the certificate and there are no indications of any problems. After >> installing the new certificate, however, I can no longer access any of >> the >> sites where the certificate is installed. > > Can you report the out of: > > $ openssl x509 -in cert.pem -outform DER | wc -c > > for the "small-enough" and "too-big" certificates? The SSL/TLS record > layer has a maximum record size, a certificate probably needs to fit > into one record, so if your 500+ domains generate a certificate that > is larger than ~16K bytes, you may be out of luck. > > -- > Viktor. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Subject-Alternative-Name-Help-tp27539914p27555907.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Subject Alternative Name Help
On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote: > > I am using OpenSSL to create a self sign certificate and have a need to add > approximately 4000, yes 4000, DNS entries (don't ask why) using Subject > Alternative Name. I have succeeded in creating a certificate with 500 DNS > entries and it works just fine with no noticeable latency accessing the web > sites listed via the SAN in the certificate. However, I run into a problem > when I create a certificate with more than 500 SAN entries. OpenSSL creates > the certificate and there are no indications of any problems. After > installing the new certificate, however, I can no longer access any of the > sites where the certificate is installed. Can you report the out of: $ openssl x509 -in cert.pem -outform DER | wc -c for the "small-enough" and "too-big" certificates? The SSL/TLS record layer has a maximum record size, a certificate probably needs to fit into one record, so if your 500+ domains generate a certificate that is larger than ~16K bytes, you may be out of luck. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Subject Alternative Name Help
I am using OpenSSL to create a self sign certificate and have a need to add approximately 4000, yes 4000, DNS entries (don't ask why) using Subject Alternative Name. I have succeeded in creating a certificate with 500 DNS entries and it works just fine with no noticeable latency accessing the web sites listed via the SAN in the certificate. However, I run into a problem when I create a certificate with more than 500 SAN entries. OpenSSL creates the certificate and there are no indications of any problems. After installing the new certificate, however, I can no longer access any of the sites where the certificate is installed. I've read RFC3280 and there is no mention of a maximum for SAN entries. Has anyone had any experience with this or do you have any ideas? Thanks for any help. -- View this message in context: http://old.nabble.com/Subject-Alternative-Name-Help-tp27539914p27539914.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: [FWD] How to add X509v3 Subject Alternative Name into cert createdby openssl
...and the relevant doc is here: http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlo Milono Sent: Monday, December 08, 2008 1:48 PM To: openssl-users@openssl.org Cc: mohammed khan Subject: RE: [FWD] How to add X509v3 Subject Alternative Name into cert createdby openssl For example: set emailAddress in [ req_distinguished_name ] of your configuration, then direct it in [ usr_cert ] with subjectAltName=email:copy ... X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Monday, December 08, 2008 12:20 AM To: openssl-users@openssl.org Cc: mohammed khan Subject: [FWD] How to add X509v3 Subject Alternative Name into cert createdby openssl Forwareded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from mohammed khan <[EMAIL PROTECTED]> - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Conten t-Type:Content-Transfer-Encoding:Message-ID; b=gEFees/Gyz+WZgZiPHQWMyqfgQob8jk7vy6qH+RsIvYvZQSQ0zv3gDuXIMpeuNKZNTPuc+ RaBEmAUHGXof8hrBpabF4Un9SVFwUuADgV/d1l+DnRR8vONR30sDfSg8Z9AX3+0Yde+7jBu8 lsf+MzhrQ1btgNkXdzahPJbkmClL8=; Date: Mon, 24 Nov 2008 15:30:11 -0800 (PST) From: mohammed khan <[EMAIL PROTECTED]> Subject: How to add X509v3 Subject Alternative Name into cert created by openssl To: [EMAIL PROTECTED] Hi, I need to create a certificate having Subject Alternative name in it but don't know how. I am using OpenSSL 0.9.8b 04 May 2006 I???d really appreciate your help. Thanks Mike - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [FWD] How to add X509v3 Subject Alternative Name into cert createdby openssl
For example: set emailAddress in [ req_distinguished_name ] of your configuration, then direct it in [ usr_cert ] with subjectAltName=email:copy ... X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Monday, December 08, 2008 12:20 AM To: openssl-users@openssl.org Cc: mohammed khan Subject: [FWD] How to add X509v3 Subject Alternative Name into cert createdby openssl Forwareded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from mohammed khan <[EMAIL PROTECTED]> - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Conten t-Type:Content-Transfer-Encoding:Message-ID; b=gEFees/Gyz+WZgZiPHQWMyqfgQob8jk7vy6qH+RsIvYvZQSQ0zv3gDuXIMpeuNKZNTPuc+ RaBEmAUHGXof8hrBpabF4Un9SVFwUuADgV/d1l+DnRR8vONR30sDfSg8Z9AX3+0Yde+7jBu8 lsf+MzhrQ1btgNkXdzahPJbkmClL8=; Date: Mon, 24 Nov 2008 15:30:11 -0800 (PST) From: mohammed khan <[EMAIL PROTECTED]> Subject: How to add X509v3 Subject Alternative Name into cert created by openssl To: [EMAIL PROTECTED] Hi, I need to create a certificate having Subject Alternative name in it but don't know how. I am using OpenSSL 0.9.8b 04 May 2006 I???d really appreciate your help. Thanks Mike - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] How to add X509v3 Subject Alternative Name into cert created by openssl
Forwareded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from mohammed khan <[EMAIL PROTECTED]> - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Conten t-Type:Content-Transfer-Encoding:Message-ID; b=gEFees/Gyz+WZgZiPHQWMyqfgQob8jk7vy6qH+RsIvYvZQSQ0zv3gDuXIMpeuNKZNTPuc+ RaBEmAUHGXof8hrBpabF4Un9SVFwUuADgV/d1l+DnRR8vONR30sDfSg8Z9AX3+0Yde+7jBu8 lsf+MzhrQ1btgNkXdzahPJbkmClL8=; Date: Mon, 24 Nov 2008 15:30:11 -0800 (PST) From: mohammed khan <[EMAIL PROTECTED]> Subject: How to add X509v3 Subject Alternative Name into cert created by openssl To: [EMAIL PROTECTED] Hi, I need to create a certificate having Subject Alternative name in it but don't know how. I am using OpenSSL 0.9.8b 04 May 2006 I???d really appreciate your help. Thanks Mike - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to add X509v3 Subject Alternative Name into the cert by using openssl?
Yang Wang wrote: > Hi, > > I am looking for a solution to add X509v3 Subject Alternative Name into the > cert with openssl. The subject Alternative Name I need to add is in the > format of > > Other Name: > Principal [EMAIL PROTECTED] > > Can any one show me how to achieve it? I really appreciate your help. > As found at: http://weblog.elwing.org/elwing/index.php/2004/12/10/using-openssl-to-put-a-microsoft-upn-in-a-certificate/ I think what you are looking for is: subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:[EMAIL PROTECTED] Hope that helps. Patrick. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to add X509v3 Subject Alternative Name into the cert by using openssl?
Hi, I am looking for a solution to add X509v3 Subject Alternative Name into the cert with openssl. The subject Alternative Name I need to add is in the format of Other Name: Principal [EMAIL PROTECTED] Can any one show me how to achieve it? I really appreciate your help. Thanks, Yang
Re: Subject Alternative Name
> Look for "copy_extensions" in the ca manual page. Stephen - thanks for the quick answer! -Marton __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Subject Alternative Name
On Wed, May 18, 2005, Marton Anka wrote: > Hello, > > I'm trying to make subject alternative names work as extensions specified in > the request and not during the signing process. > > I can specify "subjectAltName = DNS:whatever" in the extensions section of > the configuration file. If I do this during signing the request (as a CA) > then the signed certificate will have the subjectAltName extension in it. > > If, however, I specify subjectAltName in the configuration file while > generating a request then the request will have an extension stating the > alternative names, but the signed certificate will not. > Look for "copy_extensions" in the ca manual page. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Subject Alternative Name
Hello, I'm trying to make subject alternative names work as extensions specified in the request and not during the signing process. I can specify "subjectAltName = DNS:whatever" in the extensions section of the configuration file. If I do this during signing the request (as a CA) then the signed certificate will have the subjectAltName extension in it. If, however, I specify subjectAltName in the configuration file while generating a request then the request will have an extension stating the alternative names, but the signed certificate will not. Obviously it's not a huge problem but still, I'd like to know if I can somehow tell the signing process to leave the extensions specified in the request alone. We're using OpenSSL to generate our requests, and signing them with either OpenSSL or Microsoft's certificate services on the AD controller. Generating a request with the subjectAltName extension is the ONLY way to get it included with Microsoft's solution. It looks like with OpenSSL it's the other way around: no matter what the request contains, if the signing config file does not explicitly specify subjectAltName fields they will not be included in the certificate. For what it's worth, here's the config file we use for signing: [ ca ] default_ca = ca_default [ ca_default ] x509_extensions = usr_cert [ usr_cert ] keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment basicConstraints = critical, CA:false nsCertType = server extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always nsComment = "Certificate test." And this is the config file for generating the request: [ req ] default_bits = 1024 distinguished_name = req_distinguished_name req_extensions = usr_cert [ req_distinguished_name ] commonName = commonName commonName_value = test.test.com commonName_max = 128 [ usr_cert ] subjectAltName = DNS:test.test.com, DNS:localhost Copying the subjectAltName line from usr_cert to the same section in the signing configuration file produces the correct results, but I'd rather not specify the alternate names twice if possible. Any ideas? Thanks in advance, Marton Anka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to add X509v3 Subject Alternative Name into the cert with openssl?
On Fri, Dec 17, 2004, alan alan wrote: > Hi, > > How to add X509v3 Subject Alternative Name into the cert with openssl? > Such as: > X509v3 extensions: > X509v3 Subject Alternative Name: critical > IP Address:192.168.0.188 > > How to use openssl to realize this? > Thanks. > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How to add X509v3 Subject Alternative Name into the cert with openssl?
You can do this in the config file - I'll leave others to tell you how as I'm a bit rusty on that stuff. The reason I'm replying is that it is definitely not good form to mark AlternateName extension as critical. Of course it is valid to do that, but why should a relying application be FORCED to parse AlternateName? PS Please don't post in HTML. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of alan alan Sent: 17 December 2004 05:05 To: [EMAIL PROTECTED] Subject: How to add X509v3 Subject Alternative Name into the cert with openssl? Hi, How to add X509v3 Subject Alternative Name into the cert with openssl? Such as: X509v3 extensions: X509v3 Subject Alternative Name: critical IP Address:192.168.0.188 How to use openssl to realize this? Thanks. Regards. alan. Do You Yahoo!? 注册世界一流品质的雅虎免费电邮 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to add X509v3 Subject Alternative Name into the cert with openssl?
Hi, How to add X509v3 Subject Alternative Name into the cert with openssl? Such as: X509v3 extensions: X509v3 Subject Alternative Name: critical IP Address:192.168.0.188 How to use openssl to realize this? Thanks. Regards. alan. Do You Yahoo!? 注册世界一流品质的雅虎免费电邮