On Mon, Jul 23, 2007 at 01:51:19PM +0000, Emmanuel Dreyfus wrote:
In order to have this working, we need x509 certificate that have the subjectAltName extension. This is not an OpenLDAP-specific problem, but the information about how to do it seems difficult to find, hence, here is the result of my experiments.
- Creating a CSR
On the LDAP servers, we need to setup OpenSSL for generating the certificate request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf: req_extensions = v3_req
The, we need a [ v3_req ] section: [ v3_req ] basicConstraints = CA:FALSE subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net"
I actually found that I could use the following: [ dev_ldap ] subjectAltName=DNS:ldap.example.com basicConstraints=CA:FALSE
I then used 'srv1.example.net' as the CN for the certificate. The OpenSSL libraries were quite happy with this; I can refer to the host as ldap.example.com or srv1.example.com and certificate verification will succeed.
Then, to sign, I use `openssl ca -extensions dev_ldap -in srv1.csr \ -out srv1.crt'.
This allowed me to use the 'dev_ldap' extension set only for my development config while issuing all other certificates fell back to the 'v3_req' default configuration. It also seems cleaner to me to only specify the actual alternate name in the AltName field.
It seems the subjectAltName has to be set in the config file. I found no way to have it prompted by the openssl command.
This was my experience too.