SubjectAltName

From GridPP Wiki
Revision as of 15:18, 6 April 2017 by Jens Sha2 Jensen cb2223d626 (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

What?

[Grid Certificate|Host certificates] always contain alternative names (i.e. alternative to the distinguished name), but they are still intended to be names for the entity to which the certificate was issued.

Thus, for personal certificates, the alternative name is an email address. This is automatically created by the CA and the user need not do anything.

For host certificates, the FQDN of the host must be included. Conventionally, certificates are issued to the CNAME of the host, with the name present in the commonName field and also as an alternative name. Again, this is done automatically by the CA.

However, in DNS, the host may have other names, and it may be necessary to request that these be present in the certificate as well.

Why?

Globus switched to complying with RFC 2818 (section 3.1), requiring that the hostname that is accessed by the client be present in the certificate.

How to get host certificates with additional alternative names

(todo)

Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=SubjectAltName&oldid=14055"