Difference between revisions of "SubjectAltName"
m |
(added recipe) |
||
| Line 1: | Line 1: | ||
== What? == | == What? == | ||
| − | [[Grid Certificate| | + | [[Grid Certificate|Certificates]] always contain alternative names (i.e. alternative to the distinguished name), but they are still intended to be names for the entity to which the certificate was issued. |
Thus, for personal certificates, the alternative name is an email address. This is automatically created by the CA and the user need not do anything. | Thus, for personal certificates, the alternative name is an email address. This is automatically created by the CA and the user need not do anything. | ||
| Line 15: | Line 15: | ||
== How to get host certificates with additional alternative names == | == How to get host certificates with additional alternative names == | ||
| − | + | * Currently you need to make a request or renewal request for the certificate, and ask the CA to manually add the alternative names. | |
| + | |||
| + | However, it is intended to honour subject alternative names in the requests. Here is a minimal recipe for creating requests with OpenSSL with subject alternative names, expecting four environment variables to be set prior to generating the request: | ||
| + | |||
| + | [req] | ||
| + | req_extensions = req_ext | ||
| + | prompt = no | ||
| + | default_md = sha256 | ||
| + | req_distinguished_name = req_dn | ||
| + | |||
| + | [req_dn] | ||
| + | countryName = UK | ||
| + | organizationName = eScience | ||
| + | organizationalUnitName = $ENV::RA1 | ||
| + | localityName = $ENV::RA2 | ||
| + | commonName = $ENV::HOSTNAME | ||
| + | |||
| + | [req_ext] | ||
| + | subjectAltName = DNS: $ENV::HOSTNAME, DNS: $ENV::ALTNAME | ||
Revision as of 15:34, 6 April 2017
What?
Certificates always contain alternative names (i.e. alternative to the distinguished name), but they are still intended to be names for the entity to which the certificate was issued.
Thus, for personal certificates, the alternative name is an email address. This is automatically created by the CA and the user need not do anything.
For host certificates, the FQDN of the host must be included. Conventionally, certificates are issued to the CNAME of the host, with the name present in the commonName field and also as an alternative name. Again, this is done automatically by the CA.
However, in DNS, the host may have other names, and it may be necessary to request that these be present in the certificate as well.
Why?
Globus switched to complying with RFC 2818 (section 3.1), requiring that the hostname that is accessed by the client be present in the certificate.
How to get host certificates with additional alternative names
- Currently you need to make a request or renewal request for the certificate, and ask the CA to manually add the alternative names.
However, it is intended to honour subject alternative names in the requests. Here is a minimal recipe for creating requests with OpenSSL with subject alternative names, expecting four environment variables to be set prior to generating the request:
[req] req_extensions = req_ext prompt = no default_md = sha256 req_distinguished_name = req_dn [req_dn] countryName = UK organizationName = eScience organizationalUnitName = $ENV::RA1 localityName = $ENV::RA2 commonName = $ENV::HOSTNAME [req_ext] subjectAltName = DNS: $ENV::HOSTNAME, DNS: $ENV::ALTNAME
