This is a multi-part message in MIME format.
--------------090604050300060705030006
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit


In the config of OpenSSL use next:
[ user_cert ]
basicConstraints = critical,CA:false
subjectKeyIdentifier = hash
subjectAltName =IP:[your server IP] OR

subjectAltName = email:copy OR

subjectAltName = URI: [your.site.com ]

end etc.

Phil wrote:
> Hi Rodney,
>
> Thanks for the reply.
>
> What I have is a cert request from a 2003 server with the following as
> an example:
>
> Subject Name (SN): servername.domainname.com.au
> Subject Alternative Name (SAN): AlternateServername.domainname.com.au
>
> I am far from an expert on certificates, but I know these can be
> signed from a Windows 2003 CA or say Verisign with the following
> options:
>
> Server Authentication
> Client Authentication
> Subject Name (as above)
> Subject Alternative Name (as above)
>
> So I have certificates like these signed from the above mentioned
> CA's, but I am looking to sign these requests myself with the same
> parameters using something like Open SSL.
>
> The initial cert requests are done with utilities that come with
> Microsoft products. One Microsoft product that I am using at the
> moment is the Certificate Wizard that comes with OCS 2007 that allows
> you to choose the SN and SAN, or even multiple SAN's.
>
> Like I mentioned, I am not an expert on SSL certs, so I am looking to
> get pointers in the right direction on where to investigate\read so I
> can get my head around how this could be achieved.
>
> I will investigate more of what you have mentioned below, but if you
> have more feedback then that is welcomed.
>
> Thank you.
>
> Phil.
>
>
> On Nov 10, 2007 3:08 AM, Rodney Thayer wrote:
>
>> Are you saying you have a Microsoft Windows 2003 Server system
>> that has already created a certificate request (PKCS-10 formatted
>> data file) with multiple subjectaltname's, and you would like
>> an OpenSSL-based CA to sign it and grant it "server authentication"
>> and "client authentication" key usage?
>>
>> You wouldn't happen to have a reference as to how you cooked
>> this certificate request, do you?
>>
>> w.r.t. server-auth and client-auth, it's something the CA
>> grants, I believe. I think that if you look around for
>> list posts discussing manipulating the inside of openssl.cnf
>> to provide such a thing that may help. I believe that goes
>> in the "ca policy" section.
>>
>> I don't recall pkcs-10 being capable of supporting a certificate
>> request that's got subjectaltnames - that'd be interesting
>> to share if you know how to do that...
>>
>>
>> Phil wrote:
>>
>>> Hi there,
>>>
>>> Up to now I have ever only done certs for web servers which are quite
>>> straight forward.
>>>
>>> I now have the requirement to fulfill requests with the following:
>>>
>>> multiple subject alternative names
>>> server authentication
>>> client authentication
>>>
>>> If anyone can pass on info or point me in the right direction of other
>>> posts, that would be great. I need to know how to take a request from
>>> a windows server and sign in correctly with all these options.
>>>

>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
>>

> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
>


--------------090604050300060705030006
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit










In the config of OpenSSL use next:

[ user_cert ]

basicConstraints¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* = critical,CA:false

subjectKeyIdentifier¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* = hash

subjectAltName¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬* =IP:[your server IP] OR



subjectAltName¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬* = email:copy¬*¬*¬* OR



subjectAltName¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬* = URI: [your.site.com ]



end etc.



Phil wrote:
cite="mid:8f5bb2780711100036n7989a6e9n3d421b09ea526151@m ail.gmail.com"
type="cite">
Hi Rodney,

Thanks for the reply.

What I have is a cert request from a 2003 server with the following as
an example:

Subject Name (SN): servername.domainname.com.au
Subject Alternative Name (SAN): AlternateServername.domainname.com.au

I am far from an expert on certificates, but I know these can be
signed from a Windows 2003 CA or say Verisign with the following
options:

Server Authentication
Client Authentication
Subject Name (as above)
Subject Alternative Name (as above)

So I have certificates like these signed from the above mentioned
CA's, but I am looking to sign these requests myself with the same
parameters using something like Open SSL.

The initial cert requests are done with utilities that come with
Microsoft products. One Microsoft product that I am using at the
moment is the Certificate Wizard that comes with OCS 2007 that allows
you to choose the SN and SAN, or even multiple SAN's.

Like I mentioned, I am not an expert on SSL certs, so I am looking to
get pointers in the right direction on where to investigate\read so I
can get my head around how this could be achieved.

I will investigate more of what you have mentioned below, but if you
have more feedback then that is welcomed.

Thank you.

Phil.


On Nov 10, 2007 3:08 AM, Rodney Thayer <rodney@canola-jones.com> wrote:


Are you saying you have a Microsoft Windows 2003 Server system
that has already created a certificate request (PKCS-10 formatted
data file) with multiple subjectaltname's, and you would like
an OpenSSL-based CA to sign it and grant it "server authentication"
and "client authentication" key usage?

You wouldn't happen to have a reference as to how you cooked
this certificate request, do you?

w.r.t. server-auth and client-auth, it's something the CA
grants, I believe. I think that if you look around for
list posts discussing manipulating the inside of openssl.cnf
to provide such a thing that may help. I believe that goes
in the "ca policy" section.

I don't recall pkcs-10 being capable of supporting a certificate
request that's got subjectaltnames - that'd be interesting
to share if you know how to do that...


Phil wrote:


Hi there,

Up to now I have ever only done certs for web servers which are quite
straight forward.

I now have the requirement to fulfill requests with the following:

multiple subject alternative names
server authentication
client authentication

If anyone can pass on info or point me in the right direction of other
posts, that would be great. I need to know how to take a request from
a windows server and sign in correctly with all these options.


__________________________________________________  ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List penssl-users@openssl.org">openssl-users@openssl.org
Automated List Manager majordomo@openssl.org



__________________________________________________  ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List penssl-users@openssl.org">openssl-users@openssl.org
Automated List Manager majordomo@openssl.org