Multiple domains in one certificate

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple domains in one certificate

webmaster-43
Hi,

I know it isn't the correct way to do stuff, but since it's only test server
I want to do the following:
I have a server with 2 ethernet cards, one for internal net, one for the
external. Both have different IP-addresses and different domain names
(external has even some c-names). What I want is one certificate which
contains all domains, c-names and ip addresses...

Hope someone can help me with this,
Mark

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple domains in one certificate

Joseph Oreste Bruni-2
You can have as many commonNames as you want. That goes for  
subjectAltName fields too. I do that on an apache server (not using  
TLS) that needs to host more than one SSL site. Every browser I've  
used is okay with certs. that have multiple CN's.


On Nov 4, 2005, at 6:27 AM, [hidden email]  
wrote:

> Hi,
>
> I know it isn't the correct way to do stuff, but since it's only  
> test server
> I want to do the following:
> I have a server with 2 ethernet cards, one for internal net, one  
> for the
> external. Both have different IP-addresses and different domain names
> (external has even some c-names). What I want is one certificate which
> contains all domains, c-names and ip addresses...
>
> Hope someone can help me with this,
> Mark
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple domains in one certificate

Goetz Babin-Ebell
Joseph Oreste Bruni wrote:
> You can have as many commonNames as you want. That goes for
> subjectAltName fields too. I do that on an apache server (not using TLS)
> that needs to host more than one SSL site. Every browser I've used is
> okay with certs. that have multiple CN's.

But he should use the subjectAltName extension.
Using the CN is deprecated.

> On Nov 4, 2005, at 6:27 AM, [hidden email] wrote:
>
>> I know it isn't the correct way to do stuff, but since it's only test
>> server
>> I want to do the following:
>> I have a server with 2 ethernet cards, one for internal net, one for the
>> external. Both have different IP-addresses and different domain names
>> (external has even some c-names). What I want is one certificate which
>> contains all domains, c-names and ip addresses...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple domains in one certificate

Joseph Oreste Bruni-2
Yep. But CA's typically put them in both anyway.

On the other hand, if every site appears within the same domain (e.g.  
foo.domain.com, bar.domain.com, baz.domain.com), it might be better  
to get a domain cert that contains "*.domain.com".

-Joe



On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote:

> Joseph Oreste Bruni wrote:
>> You can have as many commonNames as you want. That goes for  
>> subjectAltName fields too. I do that on an apache server (not  
>> using TLS) that needs to host more than one SSL site. Every  
>> browser I've used is okay with certs. that have multiple CN's.
>
> But he should use the subjectAltName extension.
> Using the CN is deprecated.
>
>> On Nov 4, 2005, at 6:27 AM,  
>> [hidden email] wrote:
>>> I know it isn't the correct way to do stuff, but since it's only  
>>> test server
>>> I want to do the following:
>>> I have a server with 2 ethernet cards, one for internal net, one  
>>> for the
>>> external. Both have different IP-addresses and different domain  
>>> names
>>> (external has even some c-names). What I want is one certificate  
>>> which
>>> contains all domains, c-names and ip addresses...
>
> Bye
>
> Goetz
>
> --
> DMCA: The greed of the few outweighs the freedom of the many


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Multiple domains in one certificate

webmaster-43
> -----Original Message-----
> From: [hidden email] [mailto:owner-openssl-
> [hidden email]] On Behalf Of Joseph Oreste Bruni
> Sent: vrijdag 4 november 2005 23:32
> To: [hidden email]
> Subject: Re: Multiple domains in one certificate
>
> Yep. But CA's typically put them in both anyway.
>
> On the other hand, if every site appears within the same domain (e.g.
> foo.domain.com, bar.domain.com, baz.domain.com), it might be better
> to get a domain cert that contains "*.domain.com".
>
> -Joe
Both domains are different since my internal net is managed by me alone (and
it is neither permissible nor possible to run your own dns for the domain
names assigned by the provider)...

>
>
>
> On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote:
>
> > Joseph Oreste Bruni wrote:
> >> You can have as many commonNames as you want. That goes for
> >> subjectAltName fields too. I do that on an apache server (not
> >> using TLS) that needs to host more than one SSL site. Every
> >> browser I've used is okay with certs. that have multiple CN's.
> >
> > But he should use the subjectAltName extension.
> > Using the CN is deprecated.
How do I define the subjectAltName, since I've tried it already but
failed... What configuration directives are needed??

> >
> >> On Nov 4, 2005, at 6:27 AM,
> >> [hidden email] wrote:
> >>> I know it isn't the correct way to do stuff, but since it's only
> >>> test server
> >>> I want to do the following:
> >>> I have a server with 2 ethernet cards, one for internal net, one
> >>> for the
> >>> external. Both have different IP-addresses and different domain
> >>> names
> >>> (external has even some c-names). What I want is one certificate
> >>> which
> >>> contains all domains, c-names and ip addresses...
> >
> > Bye
> >
> > Goetz
> >
> > --
> > DMCA: The greed of the few outweighs the freedom of the many

Thanks for the response so far and hope someone can help me with the last
pieces,
Mark

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple domains in one certificate

Goetz Babin-Ebell
[hidden email] wrote:
>> -----Original Message-----
>> From: [hidden email] [mailto:owner-openssl-
>>
>> Yep. But CA's typically put them in both anyway.
>>
>> On the other hand, if every site appears within the same domain (e.g.
>> foo.domain.com, bar.domain.com, baz.domain.com), it might be better
>> to get a domain cert that contains "*.domain.com".

> Both domains are different since my internal net is managed by me alone (and
> it is neither permissible nor possible to run your own dns for the domain
> names assigned by the provider)...

I had the same problem here:
My server has an different name if connected from the inside
than connected from the outside (but this is goog for testing...)

As long as you issue your own certificates it is trivial...

>> On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote:
>>
>>> Joseph Oreste Bruni wrote:
>>>> You can have as many commonNames as you want. That goes for
>>>> subjectAltName fields too. I do that on an apache server (not
>>>> using TLS) that needs to host more than one SSL site. Every
>>>> browser I've used is okay with certs. that have multiple CN's.
>>> But he should use the subjectAltName extension.
>>> Using the CN is deprecated.

> How do I define the subjectAltName, since I've tried it already but
> failed... What configuration directives are needed??

Which OpenSSL version do you use ?
0.9.8 should be best.
(additiomally you could try my patch (Ticket 1050 / 1052) which gives
  you greater influence setting the entry...)

An extract from my openssl.cnf:

[...]
[ ssl_cert ]

# These extensions are added when 'ca' signs a request.
[...]

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
subjectAltName=email:move,DNS:copy.commonName,DNS:shomitefo.dyndns.org
[...]

description:
generate an subjectAltName extension containing
1. an generalName of type emailAddress containing
    the email address from the DN of the request (deleted from the DN)
    (if set)
2. an generalName of type dnsName containing a copy of
    the DN entry commonName of the request (if set)
    (this requires my patch in ticket 1050 / 1052)
3. an generalName of type dnsName containing my dyndns.org domain.

Since you are not the first one I point to my patch I would
like somebody from the core team to have a look at it and
include it into the head...
(nag, nag,,, :-) )


Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Multiple domains in one certificate

webmaster-43
Thanx for all the info, after a lot of trying I have created a working
certificate. For now I have just a few question left, is it possible
(without (shell)scripts) to (and how to do so):
1) include a .conf file with the subjectAltName extension configured for a
certain certificate.
2) include the subjectAltName in a CSR to sign by a CA (which for now is a
self-signed CA, but might be a real CA someday).
3) enter the subjectAltName the same way you enter a commonName

Ciao,
Mark

> -----Original Message-----
> From: [hidden email] [mailto:owner-openssl-
> [hidden email]] On Behalf Of Goetz Babin-Ebell
> Sent: zondag 6 november 2005 1:52
> To: [hidden email]
> Subject: Re: Multiple domains in one certificate
>
> [hidden email] wrote:
> >> -----Original Message-----
> >> From: [hidden email] [mailto:owner-openssl-
> >>
> >> Yep. But CA's typically put them in both anyway.
> >>
> >> On the other hand, if every site appears within the same domain (e.g.
> >> foo.domain.com, bar.domain.com, baz.domain.com), it might be better
> >> to get a domain cert that contains "*.domain.com".
>
> > Both domains are different since my internal net is managed by me alone
> (and
> > it is neither permissible nor possible to run your own dns for the
> domain
> > names assigned by the provider)...
>
> I had the same problem here:
> My server has an different name if connected from the inside
> than connected from the outside (but this is goog for testing...)
>
> As long as you issue your own certificates it is trivial...
>
> >> On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote:
> >>
> >>> Joseph Oreste Bruni wrote:
> >>>> You can have as many commonNames as you want. That goes for
> >>>> subjectAltName fields too. I do that on an apache server (not
> >>>> using TLS) that needs to host more than one SSL site. Every
> >>>> browser I've used is okay with certs. that have multiple CN's.
> >>> But he should use the subjectAltName extension.
> >>> Using the CN is deprecated.
>
> > How do I define the subjectAltName, since I've tried it already but
> > failed... What configuration directives are needed??
>
> Which OpenSSL version do you use ?
> 0.9.8 should be best.
> (additiomally you could try my patch (Ticket 1050 / 1052) which gives
>   you greater influence setting the entry...)
>
> An extract from my openssl.cnf:
>
> [...]
> [ ssl_cert ]
>
> # These extensions are added when 'ca' signs a request.
> [...]
>
> # This stuff is for subjectAltName and issuerAltname.
> # Import the email address.
> # subjectAltName=email:copy
> # An alternative to produce certificates that aren't
> # deprecated according to PKIX.
> subjectAltName=email:move,DNS:copy.commonName,DNS:shomitefo.dyndns.org
> [...]
>
> description:
> generate an subjectAltName extension containing
> 1. an generalName of type emailAddress containing
>     the email address from the DN of the request (deleted from the DN)
>     (if set)
> 2. an generalName of type dnsName containing a copy of
>     the DN entry commonName of the request (if set)
>     (this requires my patch in ticket 1050 / 1052)
> 3. an generalName of type dnsName containing my dyndns.org domain.
>
> Since you are not the first one I point to my patch I would
> like somebody from the core team to have a look at it and
> include it into the head...
> (nag, nag,,, :-) )
>
>
> Bye
>
> Goetz
>
> --
> DMCA: The greed of the few outweighs the freedom of the many

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple domains in one certificate

Goetz Babin-Ebell
Mark van Beek wrote:
> Thanx for all the info, after a lot of trying I have created a working
> certificate. For now I have just a few question left, is it possible
> (without (shell)scripts) to (and how to do so):
> 1) include a .conf file with the subjectAltName extension configured for a
> certain certificate.

You can edit / create the .conf file before you sign the certificate.

> 2) include the subjectAltName in a CSR to sign by a CA (which for now is a
> self-signed CA, but might be a real CA someday).

Usually the extensions are dropped on signing...

> 3) enter the subjectAltName the same way you enter a commonName

That was my patch for:
You set the host name as common name and the config entry
        subjectAltName=DNS:copy.commonName
will copy it into the subjectAltName extension.
With the config entry
        subjectAltName=DNS:move.commonName
the common name of the request will be moved into the subjectAltName
extension (and becoming a DNS name)

With the part after the copy. and move. part you say
which part of the DN will be used in the subjectAltName extension

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment