SubjectAltName

From GridPP Wiki
Jump to: navigation, search

What?

Certificates always contain alternative names (i.e. alternative to the distinguished name), but they are still intended to be names for the entity to which the certificate was issued.

Thus, for personal certificates, the alternative name is an email address. This is automatically created by the CA and the user need not do anything.

For host certificates, the FQDN of the host must be included. Conventionally, certificates are issued to the CNAME of the host, with the name present in the commonName field and also as an alternative name. Again, this is done automatically by the CA.

However, in DNS, the host may have other names, and it may be necessary to request that these be present in the certificate as well.

Why?

Globus switched to complying with RFC 2818 (section 3.1), requiring that the hostname that is accessed by the client be present in the certificate.

How to get host certificates with additional alternative names

  • Currently you need to make a request or renewal request for the certificate, and ask the CA to manually add the alternative names.

However, it is intended to honour subject alternative names in the requests. Here is a minimal recipe for creating requests with OpenSSL with subject alternative names, expecting four environment variables to be set prior to generating the request: 

[req]
req_extensions = req_ext
prompt = no
default_md = sha256
req_distinguished_name = req_dn

[req_dn]
countryName = UK
organizationName = eScience
organizationalUnitName = $ENV::RA1
localityName = $ENV::RA2
commonName = $ENV::HOSTNAME

[req_ext]
subjectAltName = DNS: $ENV::HOSTNAME, DNS: $ENV::ALTNAME

Notes:

  • The environment variables RA1 and RA2 should be set to the name components of your RA (e.g. RA1=CLRC, RA2=RAL).
  • The HOSTNAME variable is set twice (as described above), in the commonName and as the first alternative name.
  • In this case there is only one other alternative name, ALTNAME. If you need more than one, they should be put on the same line of the config file, each preceeded by the string "DNS: "; extending this script to do so is left as an exercise to the reader.

How to generate the request (based on an existing key, in key.pem, and the config being written to req.cnf): 

openssl req -config req.cnf -new -key key.pem -out req.pem
Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=SubjectAltName&oldid=14061"