Viktor,
thanks for the reply.
On 08/17/2017 11:15 AM, Viktor Dukhovni wrote:
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
Remove commonName and emailAddress completely from the cnf file. They no
longer belong in any cert, root or intermediate CA certs, server or user
certs.
CommonName is supplied for viewing by tools like certificate viewers.
It should probably be a friendly name, like "Example Web Services".
RFC 5280 suggests an empty subject DN with all the desired names
in the the subject alt name extension.
When you see a name like "example.com" in the CN, its usually a CA
including a domain name and not a hostname.
That's nonsense.
For servers include something like in the cnf file:
subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost,
EMAIL:postmaster@xxxxxxxxxxx
Don't include an email address.
That is, don't incude unless the certificate is intended for S/MIME.
Or to provide an easy way to contact the server admin if there is a
problem/question with the cert? Even without S/MIME?
X.509 and PKIX certificates don't really have a proper field for email
addresses. That's why they get mashed into CommonName.
They sure do, that what's rfc822Name is for in the subject alt name
extenstion. It supports S/MIME certificates. There's even recent
work (soon to be an RFC) to internationalize this with SmtpUTF8Name...
That is what I thought, too. Just not the full email format like:
Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
Um, I can specify 'localhost' in this manner if I am on the server and
connecting in the browser with https://localhost ??
Yes.
You can, but it is not a good idea. Since that "localhost" will
then work on every host that trusts the issuing CA. The only way
to make this reasonably secure is to have a per-host issuing CA
that's only trusted on *that* host, and *that* CA can then issue
the "localhost" certificate. All the hosts can additionally
trust other shared CAs.
So better to provide a self-signed cert if a server is going to be
accessed from a browser on the server via https://localhost
I am looking at how to build the above line using ENV variables. It is more
a matter of how I do it than can I do it...
The tricky bit is creating a variable number of SAN elements, I don't
know how to do that with just environment variables. Sometimes building
a config file on the fly is the way to go.
The simplest that I have come up with is:
export SAN = "DNS:example.com, DNS:www.example.com,
EMAIL:postmaster@xxxxxxxxxxx"
and in the cnf
subjectAltName = $SAN
I think. I am not yet up to testing this....
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
