Wildcard ssl certificate using subjectAltName

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Wildcard ssl certificate using subjectAltName

Khai Doan
To quote rfc 2818:

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

Can some give me an example?  Am I doing this correctly:

subjectAltName=dNSName:192.168.1.12

What is value for dNSName ?  Is it supposed to be IP address?  Is it
supposed to be www.domain.com ?

I wish to create wild card certificates of the form *.domain.com and
*.*.domain.com that bind to a single IP address.  Has anyone done this?  
Does it work with Internet Explorer ?

Thank you.

Khai


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Kyle Hamilton
dNSName is a DNS name.  It can be an IP, but I'm not sure about the
encoding rules for it (SMTP requires an IP in the destination field to
be in the form [192.168.1.1] (in square brackets), but I don't know
about X.509v3; it could just be the IP without decoration.)

subjectAltName=dNSName: domain.com
subjectAltName=dNSName: *.domain.com
subjectAltName=dNSName: *.*.domain.com

The binding isn't done via IP address (as DNS can be spoofed), but
rather by proof of possession of secret key.

-Kyle H

On 2/10/06, Khai Doan <[hidden email]> wrote:

> To quote rfc 2818:
>
>    If a subjectAltName extension of type dNSName is present, that MUST
>    be used as the identity. Otherwise, the (most specific) Common Name
>    field in the Subject field of the certificate MUST be used. Although
>    the use of the Common Name is existing practice, it is deprecated and
>    Certification Authorities are encouraged to use the dNSName instead.
>
> Can some give me an example?  Am I doing this correctly:
>
> subjectAltName=dNSName:192.168.1.12
>
> What is value for dNSName ?  Is it supposed to be IP address?  Is it
> supposed to be www.domain.com ?
>
> I wish to create wild card certificates of the form *.domain.com and
> *.*.domain.com that bind to a single IP address.  Has anyone done this?
> Does it work with Internet Explorer ?
>
> Thank you.
>
> Khai
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Victor Duchovni
On Sat, Feb 11, 2006 at 01:34:28AM -0700, Kyle Hamilton wrote:

> It can be an IP, but I'm not sure about the
> encoding rules for it (SMTP requires an IP in the destination field to
> be in the form [192.168.1.1] (in square brackets)

This is really the "domain literal" construct in the mailbox grammar of
RFC822/821. It is not used alone.

        localpar@[domain-literal]

> subjectAltName=dNSName: domain.com
> subjectAltName=dNSName: *.domain.com
> subjectAltName=dNSName: *.*.domain.com

The semantics of "*.*.domain.com" are poorly defined. It is not likely
to work uniformly.

> The binding isn't done via IP address (as DNS can be spoofed), but
> rather by proof of possession of secret key.
>

Specifically, IP addresses in certificates are only useful, if the client
is configured to connect to a specific IP address and intends to verify
said address.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Dr. Stephen Henson
On Mon, Feb 13, 2006, Victor Duchovni wrote:

> On Sat, Feb 11, 2006 at 01:34:28AM -0700, Kyle Hamilton wrote:
>
> > It can be an IP, but I'm not sure about the
> > encoding rules for it (SMTP requires an IP in the destination field to
> > be in the form [192.168.1.1] (in square brackets)
>
> This is really the "domain literal" construct in the mailbox grammar of
> RFC822/821. It is not used alone.
>
> localpar@[domain-literal]
>

The semantics for dNSName, which this refers to are stricter.

It has to be a hostname, cannot be an IP address (the iPAddress form is for
that) and cannot contain wild cards.

This is mentioned in RFC3280 et al.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Khai Doan
Has anyone successfully create a double wildcard certificate
(*.*.domain.com) ?  Does it work with MSIE 6 XP service pack 2 ?

Attached is my openssl.cnf, my test CSR, and my test certificate.  Can you
please see if anything wrong?

Does anyone has a working certificate with subjectAltName that I can take a
look ?

Thank you
Khai

>From: "Dr. Stephen Henson" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: Re: Wildcard ssl certificate using subjectAltName
>Date: Mon, 13 Feb 2006 18:47:19 +0100
>
>On Mon, Feb 13, 2006, Victor Duchovni wrote:
>
> > On Sat, Feb 11, 2006 at 01:34:28AM -0700, Kyle Hamilton wrote:
> >
> > > It can be an IP, but I'm not sure about the
> > > encoding rules for it (SMTP requires an IP in the destination field to
> > > be in the form [192.168.1.1] (in square brackets)
> >
> > This is really the "domain literal" construct in the mailbox grammar of
> > RFC822/821. It is not used alone.
> >
> > localpar@[domain-literal]
> >
>
>The semantics for dNSName, which this refers to are stricter.
>
>It has to be a hostname, cannot be an IP address (the iPAddress form is for
>that) and cannot contain wild cards.
>
>This is mentioned in RFC3280 et al.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Dr. Stephen Henson
On Mon, Feb 13, 2006, Khai Doan wrote:

> Has anyone successfully create a double wildcard certificate
> (*.*.domain.com) ?  Does it work with MSIE 6 XP service pack 2 ?
>
> Attached is my openssl.cnf, my test CSR, and my test certificate.  Can you
> please see if anything wrong?
>
> Does anyone has a working certificate with subjectAltName that I can take a
> look ?
>

You can successfully create one easily enough but it is unlikely to work. It
is a violation of RFC3280 and probably wont be implemented in MSIE. I haven't
tried it personally so there's an outside chance it might work.

If you want to include multiple separate host names then that is legal and
should work fine.

I can't comment on the CSR and test certificate as the attachment doesn't seem
to have been included...

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Khai Doan
For some reason Hotmail does not allow me to attach those files:

Test CSR:


-----BEGIN CERTIFICATE REQUEST-----
MIICuzCCAiQCAQAwggF5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTESMBAGA1UEBxMJU2FuIE1hdGVvMRUwEwYDVQQKEwxHb3RHZW5pZS5jb20xFTAT
BgNVBAsTDFRlY2hub2xvZ2llczEZMBcGA1UEAxQQKi4qLmdvdGdlbmllLmNvbTEX
MBUGA1UEAxQOKi5nb3RnZW5pZS5jb20xFTATBgNVBAMTDGdvdGdlbmllLmNvbTEZ
MBcGA1UdERQQKi4qLmdvdGdlbmllLmNvbTEXMBUGA1UdERQOKi5nb3RnZW5pZS5j
b20xFTATBgNVHRETDGdvdGdlbmllLmNvbTEfMB0GCWCGSAGG+EIBDBQQKi4qLmdv
dGdlbmllLmNvbTEdMBsGCWCGSAGG+EIBDBQOKi5nb3RnZW5pZS5jb20xGzAZBglg
hkgBhvhCAQwTDGdvdGdlbmllLmNvbTEgMB4GCSqGSIb3DQEJARYRa2hhaUBnb3Rn
ZW5pZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKZF+wX2nzE0Doh2
W6KJytKEu8CampAGptJmAIt2U2p5tCwLMXp7MS10cUOC4yFOL7Y6+Voyyo6UNO3H
mVSSuZAWEs4hsOIK7lsFt1FYQxZ/XcaJfXrx3K9weaN/9ARco1p+QGIjJhHD/SLv
xm7MPm5lFMCISIOjwP8+XZcp9fthAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAP
incHoM4gXVC/BPfl1/o4XKmLlBzmIkmRZb+xhDHkxqEBnwF/jcm3OSpMDlIeYW3D
lMMzb9sDOqpEGGZt0W/dIbL0OytBpPP+xcYy6PYXuwNlvef+if+W6U/0mTlkMvA5
R/+KWg9dpcirc7OssFyWNkIxVD62AFwQUltd0enbNw==
-----END CERTIFICATE REQUEST-----

Test certificates:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=California, L=San Mateo, O=Genius Inc,
OU=Technologies, CN=Genius Inc/emailAddress=[hidden email]
        Validity
            Not Before: Feb 14 01:14:51 2006 GMT
            Not After : Feb 12 01:14:51 2016 GMT
        Subject: C=US, ST=California, L=San Mateo, O=GotGenie.com,
OU=Technologies, CN=*.*.gotgenie.com, CN=*.gotgenie.com,
CN=gotgenie.com/subjectAltName=*.*.gotgenie.com/subjectAltName=*.gotgenie.com/subjectAltName=gotgenie.com/nsSslServerName=*.*.gotgenie.com/nsSslServerName=*.gotgenie.com/nsSslServerName=gotgenie.com/emailAddress=[hidden email]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a6:45:fb:05:f6:9f:31:34:0e:88:76:5b:a2:89:
                    ca:d2:84:bb:c0:9a:9a:90:06:a6:d2:66:00:8b:76:
                    53:6a:79:b4:2c:0b:31:7a:7b:31:2d:74:71:43:82:
                    e3:21:4e:2f:b6:3a:f9:5a:32:ca:8e:94:34:ed:c7:
                    99:54:92:b9:90:16:12:ce:21:b0:e2:0a:ee:5b:05:
                    b7:51:58:43:16:7f:5d:c6:89:7d:7a:f1:dc:af:70:
                    79:a3:7f:f4:04:5c:a3:5a:7e:40:62:23:26:11:c3:
                    fd:22:ef:c6:6e:cc:3e:6e:65:14:c0:88:48:83:a3:
                    c0:ff:3e:5d:97:29:f5:fb:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            C7:C5:2B:56:F0:9C:48:E3:6C:C6:84:24:0C:C9:85:F9:CA:49:C2:40
            X509v3 Authority Key Identifier:
           
keyid:48:A3:D0:A4:B7:CB:62:71:54:49:EF:04:B6:D6:96:BF:3C:BB:3E:D5
            DirName:/C=US/ST=California/L=San Mateo/O=Genius
Inc/OU=Technologies/CN=Genius Inc/emailAddress=[hidden email]
            serial:00

    Signature Algorithm: md5WithRSAEncryption
        9b:c4:aa:b0:8f:d0:bc:2d:b6:f2:6c:c4:4d:c1:6f:c2:46:88:
        4e:d8:95:95:21:c0:36:f1:a8:0f:9d:ee:3a:44:ad:35:ac:dd:
        12:b6:0a:3f:09:47:c0:d0:ca:be:27:31:97:ff:a7:37:44:00:
        a1:ce:a4:c8:7f:2f:19:77:1c:ce:cf:9a:17:17:6a:52:40:8c:
        2a:10:9b:a5:21:d5:30:1b:5b:38:22:88:f9:fe:82:89:5e:15:
        9a:df:06:3f:e7:2a:d2:a6:6b:8c:02:f7:9a:c6:72:7d:25:e7:
        eb:8c:ef:f1:65:8e:96:a1:87:8b:64:c1:31:e6:b1:4b:10:3b:
        bb:da
-----BEGIN CERTIFICATE-----
MIIErjCCBBegAwIBAgIBDDANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVNhbiBNYXRlbzETMBEGA1UE
ChMKR2VuaXVzIEluYzEVMBMGA1UECxMMVGVjaG5vbG9naWVzMRMwEQYDVQQDEwpH
ZW5pdXMgSW5jMR4wHAYJKoZIhvcNAQkBFg9raGFpQGdlbml1cy5jb20wHhcNMDYw
MjE0MDExNDUxWhcNMTYwMjEyMDExNDUxWjCCAXkxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gTWF0ZW8xFTATBgNVBAoTDEdv
dEdlbmllLmNvbTEVMBMGA1UECxMMVGVjaG5vbG9naWVzMRkwFwYDVQQDFBAqLiou
Z290Z2VuaWUuY29tMRcwFQYDVQQDFA4qLmdvdGdlbmllLmNvbTEVMBMGA1UEAxMM
Z290Z2VuaWUuY29tMRkwFwYDVR0RFBAqLiouZ290Z2VuaWUuY29tMRcwFQYDVR0R
FA4qLmdvdGdlbmllLmNvbTEVMBMGA1UdERMMZ290Z2VuaWUuY29tMR8wHQYJYIZI
AYb4QgEMFBAqLiouZ290Z2VuaWUuY29tMR0wGwYJYIZIAYb4QgEMFA4qLmdvdGdl
bmllLmNvbTEbMBkGCWCGSAGG+EIBDBMMZ290Z2VuaWUuY29tMSAwHgYJKoZIhvcN
AQkBFhFraGFpQGdvdGdlbmllLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEApkX7BfafMTQOiHZboonK0oS7wJqakAam0mYAi3ZTanm0LAsxensxLXRxQ4Lj
IU4vtjr5WjLKjpQ07ceZVJK5kBYSziGw4gruWwW3UVhDFn9dxol9evHcr3B5o3/0
BFyjWn5AYiMmEcP9Iu/Gbsw+bmUUwIhIg6PA/z5dlyn1+2ECAwEAAaOCASMwggEf
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBTHxStW8JxI42zGhCQMyYX5yknCQDCBxAYDVR0j
BIG8MIG5gBRIo9Ckt8ticVRJ7wS21pa/PLs+1aGBnaSBmjCBlzELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVNhbiBNYXRlbzETMBEG
A1UEChMKR2VuaXVzIEluYzEVMBMGA1UECxMMVGVjaG5vbG9naWVzMRMwEQYDVQQD
EwpHZW5pdXMgSW5jMR4wHAYJKoZIhvcNAQkBFg9raGFpQGdlbml1cy5jb22CAQAw
DQYJKoZIhvcNAQEEBQADgYEAm8SqsI/QvC228mzETcFvwkaITtiVlSHANvGoD53u
OkStNazdErYKPwlHwNDKvicxl/+nN0QAoc6kyH8vGXcczs+aFxdqUkCMKhCbpSHV
MBtbOCKI+f6CiV4Vmt8GP+cq0qZrjAL3msZyfSXn64zv8WWOlqGHi2TBMeaxSxA7
u9o=
-----END CERTIFICATE-----

openssl.cnf:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = /root/certificates # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext

default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName              = supplied
subjectAltName        = supplied
nsSslServerName         = supplied
emailAddress = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName              = optional
subjectAltName        = supplied
nsSslServerName         = supplied
emailAddress = optional

####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Berkshire

localityName = Locality Name (eg, city)
localityName_default = Newbury

0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company Ltd

# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

0.commonName = Common Name (eg, your name or your server\'s hostname)
0.commonName_max = 64
1.commonName                    = *.gotgenie.com
1.commonName_max                = 64
2.commonName                    = *.*.gotgenie.com
2.commonName_max                = 64

0.subjectAltName                = dNSName: gotgenie.com
1.subjectAltName                = dNSName: *.gotgenie.com
2.subjectAltName                = dNSName: *.*.gotgenie.com
3.subjectAltName                = dNSName: cert.gotgenie.com
4.subjectAltName                = dNSName:
5.subjectAltName                = dNSName:
6.subjectAltName                = dNSName:
7.subjectAltName                = dNSName:

0.nsSslServerName               = nsSslServerName: gotgenie.com
1.nsSslServerName               = nsSslServerName: *.gotgenie.com
2.nsSslServerName               = nsSslServerName: *.*.gotgenie.com

emailAddress = Email Address
emailAddress_max = 64

# SET-ex3 = SET extension number 3

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always


>From: "Dr. Stephen Henson" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: Re: Wildcard ssl certificate using subjectAltName
>Date: Tue, 14 Feb 2006 02:49:36 +0100
>
>On Mon, Feb 13, 2006, Khai Doan wrote:
>
> > Has anyone successfully create a double wildcard certificate
> > (*.*.domain.com) ?  Does it work with MSIE 6 XP service pack 2 ?
> >
> > Attached is my openssl.cnf, my test CSR, and my test certificate.  Can
>you
> > please see if anything wrong?
> >
> > Does anyone has a working certificate with subjectAltName that I can
>take a
> > look ?
> >
>
>You can successfully create one easily enough but it is unlikely to work.
>It
>is a violation of RFC3280 and probably wont be implemented in MSIE. I
>haven't
>tried it personally so there's an outside chance it might work.
>
>If you want to include multiple separate host names then that is legal and
>should work fine.
>
>I can't comment on the CSR and test certificate as the attachment doesn't
>seem
>to have been included...
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Dr. Stephen Henson
On Mon, Feb 13, 2006, Khai Doan wrote:

> For some reason Hotmail does not allow me to attach those files:
>
> Test CSR:
>
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIICuzCCAiQCAQAwggF5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
> YTESMBAGA1UEBxMJU2FuIE1hdGVvMRUwEwYDVQQKEwxHb3RHZW5pZS5jb20xFTAT
> BgNVBAsTDFRlY2hub2xvZ2llczEZMBcGA1UEAxQQKi4qLmdvdGdlbmllLmNvbTEX
> MBUGA1UEAxQOKi5nb3RnZW5pZS5jb20xFTATBgNVBAMTDGdvdGdlbmllLmNvbTEZ
> MBcGA1UdERQQKi4qLmdvdGdlbmllLmNvbTEXMBUGA1UdERQOKi5nb3RnZW5pZS5j
> b20xFTATBgNVHRETDGdvdGdlbmllLmNvbTEfMB0GCWCGSAGG+EIBDBQQKi4qLmdv
> dGdlbmllLmNvbTEdMBsGCWCGSAGG+EIBDBQOKi5nb3RnZW5pZS5jb20xGzAZBglg
> hkgBhvhCAQwTDGdvdGdlbmllLmNvbTEgMB4GCSqGSIb3DQEJARYRa2hhaUBnb3Rn
> ZW5pZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKZF+wX2nzE0Doh2
> W6KJytKEu8CampAGptJmAIt2U2p5tCwLMXp7MS10cUOC4yFOL7Y6+Voyyo6UNO3H
> mVSSuZAWEs4hsOIK7lsFt1FYQxZ/XcaJfXrx3K9weaN/9ARco1p+QGIjJhHD/SLv
> xm7MPm5lFMCISIOjwP8+XZcp9fthAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAP
> incHoM4gXVC/BPfl1/o4XKmLlBzmIkmRZb+xhDHkxqEBnwF/jcm3OSpMDlIeYW3D
> lMMzb9sDOqpEGGZt0W/dIbL0OytBpPP+xcYy6PYXuwNlvef+if+W6U/0mTlkMvA5
> R/+KWg9dpcirc7OssFyWNkIxVD62AFwQUltd0enbNw==
> -----END CERTIFICATE REQUEST-----
>
> Test certificates:
>
> Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number: 12 (0xc)
>        Signature Algorithm: md5WithRSAEncryption
>        Issuer: C=US, ST=California, L=San Mateo, O=Genius Inc,
> OU=Technologies, CN=Genius Inc/emailAddress=[hidden email]
>        Validity
>            Not Before: Feb 14 01:14:51 2006 GMT
>            Not After : Feb 12 01:14:51 2016 GMT
>        Subject: C=US, ST=California, L=San Mateo, O=GotGenie.com,
> OU=Technologies, CN=*.*.gotgenie.com, CN=*.gotgenie.com,
> CN=gotgenie.com/subjectAltName=*.*.gotgenie.com/subjectAltName=*.gotgenie.com/subjectAltName=gotgenie.com/nsSslServerName=*.*.gotgenie.com/nsSslServerName=*.gotgenie.com/nsSslServerName=gotgenie.com/emailAddress=[hidden email]

Well you've put subjectAltName in the *subject* name. It should go in the
extensions part.

Look at:

http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

you need something like:

subjectAltName = DNS:whatever.hostname.com

in the certificate extensions section. Then the extension will appear when the
certificate is signed.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Khai Doan
Can I have

subjectAltName = critical,DNS:*.hostname.com

What other things are possible here (DNS, IP, email, URI, etc) ?

Using IP:192.168.10.16 and DNS:*.hostname.com does not seems to work
(Internet Explorer throw up a warning dialog: The name on the security
certificates is invalid or does not match the name of the site).


Has anyone successfully create a wild card certificate that bind to an IP
address ?

Thanks
Khai

>From: "Dr. Stephen Henson" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: Re: Wildcard ssl certificate using subjectAltName
>Date: Tue, 14 Feb 2006 04:23:03 +0100
>
>On Mon, Feb 13, 2006, Khai Doan wrote:
>
> > For some reason Hotmail does not allow me to attach those files:
> >
> > Test CSR:
> >
> >
> > -----BEGIN CERTIFICATE REQUEST-----
> > MIICuzCCAiQCAQAwggF5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
> > YTESMBAGA1UEBxMJU2FuIE1hdGVvMRUwEwYDVQQKEwxHb3RHZW5pZS5jb20xFTAT
> > BgNVBAsTDFRlY2hub2xvZ2llczEZMBcGA1UEAxQQKi4qLmdvdGdlbmllLmNvbTEX
> > MBUGA1UEAxQOKi5nb3RnZW5pZS5jb20xFTATBgNVBAMTDGdvdGdlbmllLmNvbTEZ
> > MBcGA1UdERQQKi4qLmdvdGdlbmllLmNvbTEXMBUGA1UdERQOKi5nb3RnZW5pZS5j
> > b20xFTATBgNVHRETDGdvdGdlbmllLmNvbTEfMB0GCWCGSAGG+EIBDBQQKi4qLmdv
> > dGdlbmllLmNvbTEdMBsGCWCGSAGG+EIBDBQOKi5nb3RnZW5pZS5jb20xGzAZBglg
> > hkgBhvhCAQwTDGdvdGdlbmllLmNvbTEgMB4GCSqGSIb3DQEJARYRa2hhaUBnb3Rn
> > ZW5pZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKZF+wX2nzE0Doh2
> > W6KJytKEu8CampAGptJmAIt2U2p5tCwLMXp7MS10cUOC4yFOL7Y6+Voyyo6UNO3H
> > mVSSuZAWEs4hsOIK7lsFt1FYQxZ/XcaJfXrx3K9weaN/9ARco1p+QGIjJhHD/SLv
> > xm7MPm5lFMCISIOjwP8+XZcp9fthAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAP
> > incHoM4gXVC/BPfl1/o4XKmLlBzmIkmRZb+xhDHkxqEBnwF/jcm3OSpMDlIeYW3D
> > lMMzb9sDOqpEGGZt0W/dIbL0OytBpPP+xcYy6PYXuwNlvef+if+W6U/0mTlkMvA5
> > R/+KWg9dpcirc7OssFyWNkIxVD62AFwQUltd0enbNw==
> > -----END CERTIFICATE REQUEST-----
> >
> > Test certificates:
> >
> > Certificate:
> >    Data:
> >        Version: 3 (0x2)
> >        Serial Number: 12 (0xc)
> >        Signature Algorithm: md5WithRSAEncryption
> >        Issuer: C=US, ST=California, L=San Mateo, O=Genius Inc,
> > OU=Technologies, CN=Genius Inc/emailAddress=[hidden email]
> >        Validity
> >            Not Before: Feb 14 01:14:51 2006 GMT
> >            Not After : Feb 12 01:14:51 2016 GMT
> >        Subject: C=US, ST=California, L=San Mateo, O=GotGenie.com,
> > OU=Technologies, CN=*.*.gotgenie.com, CN=*.gotgenie.com,
> >
>CN=gotgenie.com/subjectAltName=*.*.gotgenie.com/subjectAltName=*.gotgenie.com/subjectAltName=gotgenie.com/nsSslServerName=*.*.gotgenie.com/nsSslServerName=*.gotgenie.com/nsSslServerName=gotgenie.com/emailAddress=[hidden email]
>
>Well you've put subjectAltName in the *subject* name. It should go in the
>extensions part.
>
>Look at:
>
>http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
>
>you need something like:
>
>subjectAltName = DNS:whatever.hostname.com
>
>in the certificate extensions section. Then the extension will appear when
>the
>certificate is signed.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Dr. Stephen Henson
On Mon, Feb 13, 2006, Khai Doan wrote:

> Can I have
>
> subjectAltName = critical,DNS:*.hostname.com
>
> What other things are possible here (DNS, IP, email, URI, etc) ?
>

Did you  read the manual page I referenced:

http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

That tells you what can be used there with some examples.

> Using IP:192.168.10.16 and DNS:*.hostname.com does not seems to work
> (Internet Explorer throw up a warning dialog: The name on the security
> certificates is invalid or does not match the name of the site).
>

If it is now appears in "extensions" in the certificate then that
probably means IE doesn't support it.

>
> Has anyone successfully create a wild card certificate that bind to an IP
> address ?
>

That is illegal. You can only specify a single IP address per entry.

Why don't you explain what you are trying to do? There may be an alternative
method to achieve what you want.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Khai Doan



>From: "Dr. Stephen Henson" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: Re: Wildcard ssl certificate using subjectAltName
>Date: Tue, 14 Feb 2006 13:38:33 +0100
>
>On Mon, Feb 13, 2006, Khai Doan wrote:
>
> > Can I have
> >
> > subjectAltName = critical,DNS:*.hostname.com
> >
> > What other things are possible here (DNS, IP, email, URI, etc) ?
> >
>
>Did you  read the manual page I referenced:
>
>http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
>
>That tells you what can be used there with some examples.

I read the manual page you referenced, but RFC seems to mention dNSName, and
when I try it

subjectAltName = critical,dNSName:*.domain.com

openssl give me error, so I am confused.

>
> > Using IP:192.168.10.16 and DNS:*.hostname.com does not seems to work
> > (Internet Explorer throw up a warning dialog: The name on the security
> > certificates is invalid or does not match the name of the site).
> >
>
>If it is now appears in "extensions" in the certificate then that
>probably means IE doesn't support it.
>
> >
> > Has anyone successfully create a wild card certificate that bind to an
>IP
> > address ?
> >
>
>That is illegal. You can only specify a single IP address per entry.
>
>Why don't you explain what you are trying to do? There may be an
>alternative
>method to achieve what you want.

I am trying to create a certificate (either host base or service base, in
this case it is for the web).  The idea is: the browser open a connection
using whatever IP address that DNS give, use this IP to compare with the IP
address presented in the certificate.  This should work regardless of the
hostname of the URL whether it is a.domain.com or b.domain.com or
a.b.domain.com or *.domain.com or *.*.domain.com where * can be anything.  
In my environment, I literally have thousand identity that need to fit into
the wildcard, and I rather not list them all using subjectAltName.  I rather
use:

subjectAltName =
critical,DNS:*.hostname.com,DNS:*.*.hostname.com,IP:192.168.10.16

and I rather not create thousand of IP-based virtual host (inside apache
httpd.conf).  I really want host based or service based certificate.

For this to work, do I need to run DNSSEC ? (This service can be outsource
to a third party DNS service provider, where their certificate can be
independently verified).

>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Dr. Stephen Henson
On Tue, Feb 14, 2006, Khai Doan wrote:

>
>
> I read the manual page you referenced, but RFC seems to mention dNSName,
> and when I try it
>
> subjectAltName = critical,dNSName:*.domain.com
>
> openssl give me error, so I am confused.
>

The RFC says dNSName, this is the same as DNS in OpenSSL.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Victor Duchovni
On Tue, Feb 14, 2006 at 10:37:09PM +0100, Dr. Stephen Henson wrote:

> On Tue, Feb 14, 2006, Khai Doan wrote:
>
> >
> >
> > I read the manual page you referenced, but RFC seems to mention dNSName,
> > and when I try it
> >
> > subjectAltName = critical,dNSName:*.domain.com
> >
> > openssl give me error, so I am confused.
> >
>
> The RFC says dNSName, this is the same as DNS in OpenSSL.
>

Perhaps a sample working ".conf" file will help:

    [ req ]
    default_bits            = 1024
    default_md              = sha1
    default_keyfile         = newkey.pem
    distinguished_name      = req_distinguished_name
    prompt                  = no
    string_mask             = nombstr
    req_extensions          = v3_req

    [ req_distinguished_name ]
    countryName             = US
    stateOrProvinceName     = New York
    localityName            = New York
    organizationName        = Acme Inc.
    organizationalUnitName  = Wobbly Widget Workshop
    commonName              = www.acme.com
    emailAddress            = [hidden email]

    [ v3_req ]
    basicConstraints        = CA:FALSE
    keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

    # Some CAs do not yet support subjectAltName in CSRs.
    # Instead the additional names are form entries on web
    # pages where one requests the certificate...
    subjectAltName          = @alt_names

    [ alt_names ]
    DNS.1                   = www.acme.com
    DNS.2                   = www.acme.org
    DNS.3                   = www.acme.net

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

caveman007
In reply to this post by Dr. Stephen Henson
BTW, when I want to extract this DNS (e.g. in the case of authentication/identity validation)
as a char* string, I'm trying this:

GENERAL_NAME* gen = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL);
if (gen && gen->type == GEN_DNS) {
    char* buf = i2s_ASN1_OCTET_STRING(X509V3_EXT_get_nid(NID_dNSDomain),
                                   (gen->d.dNSName) );
    ...
}

 Everything goes OK with obtaining GENERAL_NAME* structure and it's GEN_DNS type check,
until the point of conversion. The 'buf' stays NULL, even when replacing the X509V3_EXT_METHOD*
with NID_subject_alt_name or just NULL.
 Many people talk about such a task of extracting dNSName, but could anybody show it?
Regards, --plef--
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

Dr. Stephen Henson
On Wed, Mar 08, 2006, caveman007 (sent by Nabble.com) wrote:

>
> BTW, when I want to extract this DNS (e.g. in the case of
> authentication/identity validation)
> as a char* string, I'm trying this:
>
> GENERAL_NAME* gen = X509_get_ext_d2i (cert, NID_dNSDomain, NULL, NULL);
> if (gen && gen->type == GEN_DNS) {
>     char* buf = i2s_ASN1_OCTET_STRING(X509V3_EXT_get_nid(NID_dNSDomain),
>                                    (gen->d.dNSName) );
>     ...
> }
>
>  Everything goes OK with obtaining GENERAL_NAME* structure and it's GEN_DNS
> type check,
> until the point of conversion. The 'buf' stays NULL, even when replacing the
> X509V3_EXT_METHOD*
> with NID_subject_alt_name or just NULL.
>  Many people talk about such a task of extracting dNSName, but could anybody
> show it?

I'm surprised that didn't actually crash. The X509_get_ex_d2i() function is
not returning a GENERAL_NAME structure but a STACK_OF(GENERAL_NAME). You need
to look through that stack for someting of type GEN_DNS and then you can get
its string value, though not using i2s_ASN1_OCTET_STRING...

There is an example which uses email address in the function get_email in the
file v3_utl.c. That should be easy enough to adapt.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard ssl certificate using subjectAltName

caveman007
Thanks a lot!