One Certificate, Many subjectAltName

早看到就好了 :) 根據其中的 Interoperability Test，我選用 1. Way: SubjectAltName Only 這個方法；這是 x509v3 的一項 extension。先複製一份 openssl.cnf，在 [v3_req] 區塊裡加上 subjectAltName 的定義：

subjectAltName = DNS:domain1.com, DNS:domain2.com

然後打開 [req] 區塊裡的

req_extensions = v3_req

最後用這個 openssl.cnf 產生 request、簽核 certificate 即可；我把 request/sign 的過程寫成一個如下的 Makefile：

OWNER = yungyuc.yungyuc

default:
      echo "select one"

req:
      openssl req -new \
              -config openssl.cnf -text \
              -key key.pem -out req.pem

reqsubj:
      openssl req -noout -subject -in req.pem

reqtext:
      openssl req -noout -text -in req.pem

crt:
      openssl x509 \
              -req -days 3650 -sha1 \
              -extfile openssl.cnf -extensions v3_req \
              -CA cacert.pem \
              -CAkey cakey.pem \
              -in req.pem -out crt.pem
      chown $(OWNER) crt.pem

crtsubj:
      openssl x509 -noout -subject -in crt.pem

crttext:
      openssl x509 -noout -text -in crt.pem

這樣不管是 Firefox, Mozilla 還是 IE，都可以正確支援多 domain name 的 certificate 了。

Posted by yungyuc at 22:21, 0 comment, 0 trackback.

Navigate

Previous: One Certificate, Many Domainname (commonName) @2005/09/28
Next: 時光荏苒 @2005/09/29

Add a trackback

Please send trackback to: http://blog.seety.org/everydaywork/2005/9/28/409/trackback/.

Add a comment

Title:
Contributor:	Your name. (required)
Website:	Your personal website. (optional)
Email:	Your email address. Will not show in page. (suggested, but optional)
Body:	Text format is "Plain Text".
Antispam code:	Enter "DIRmh"