Hi Realy thanks for your attention and complete reply. Then,according to your explanation it's better that i set SubjectAltName instead of DN,is that tru? In prevoius mail,you told if I do not set leftid or my cerificate does not contain DN or SubjectAltName,then one default value will be selected,ok,but what is this value? In order to restrict and increase security in connection phase of tow gateway it's better I set DN or SubjectAltName so that only gateway i want, can connect to my gateway.
thanks a lot for your help. On Sunday, September 25, 2011, Andreas Steffen < [email protected]> wrote: > The subject distinguished name or subject DN of an X.509 certificate > consists of several Relative Distinguished Names (RDNs) and therefore > can be quite tiresome to write as in > > "C=DE, ST=Mecklenburg-Vorpommern, L=Rostock, O=Finanzamt, > OU=Zentrale Informations- und Annahmestelle, CN=steuerportal-mv.de, > [email protected]" > > Therefore often one or several subjectAlternativeNames or Aliases > are added as X.509v3 extensions to a certificate, like e.g. > > DNS:moon.strongswan.org > email:[email protected] > IP:11.22.33.44 > > (given in openssl.cnf notation) which saves a lot of typing work and > helps to eliminate errors. > > Regards > > Andreas > > On 09/25/2011 02:58 PM, nima chavooshi wrote: >> >> Hi >> Thanks a lot for your quick reply. >> Excuse me for my dummy question.I am some confused. >> May you give me more explanation about "subject distinguished name", >> "subjectAltName", "subject DN" field on X509 certification? >> According to your told, I should define lefid at least, is that true ? >> >> Thanks in advance for any help or guidance >> >> On Sun, Sep 25, 2011 at 2:16 PM, Andreas Steffen >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> Hello, >> >> left|rightid *must* be either the subject distinguished name or >> a subjectAltName extension contained in the certificate. If you >> don't define leftid or if leftid is not defined in the certificate >> then automatically the subject DN is assumed as a default. >> >> As a responder you can define rightid=%any, in that case any >> peer with a trusted and non-revoked certificate will be accepted. >> >> Regards >> >> Andreas > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
