## 20171103 AK
----
[[FAQ/subjectAltName/CZ|Ĩesky]] | '''english'''
----
= FAQ/subjectAltName (SAN) =
== What is subjectAltName ? ==
subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :
subjectAltName must always be used (RFC 3280 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.
== subjectAltName and CAcert CSR parser ==
The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on [[https://www.cacert.org/account.php?id=9|View]]. (For this link to work, you have to log in with your username and password, not with a client certificate.)
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...
=== Add multiple SANs into your CSR with OpenSSL ===
* Copy your default openssl.cnf file to a temporary openssl-san.cnf file
* Edit the openssl-san.cnf file to add addtl. required parameters
{{{
[req]
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = server1.example.com
DNS.2 = mail.example.com
DNS.3 = www.example.com
DNS.4 = www.sub.example.com
DNS.5 = mx.example.com
DNS.6 = support.example.com
}}}
=== Create the OpenSSL Private Key and CSR with OpenSSL ===
* 2 openssl commands in series
{{{
openssl genrsa -out srvr1-example-com-2048.key 4096
openssl req -new -out srvr1-example-com-2048.csr -key srvr1-example-com-2048.key -config openssl-san.cnf
}}}
=== Check multiple SANs in your CSR with OpenSSL ===
* the openssl command
{{{
openssl req -text -noout -in <yourcsrfile>.csr
}}}
* will result in
{{{
eg.
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=DE, ST=Germany, L=City, O=Company, OU=Organisation-Unit, CN=server1.example.com/emailAddress=alias@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
[...]
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server1.example.com, DNS:mail.example.com, DNS:www.example.com
, DNS:www.sub.example.com, DNS:mx.example.com, DNS:support.example.com
Signature Algorithm: sha1WithRSAEncryption
[...]
}}}
=== Copy content of CSR file to New Server Cert Form ... ===
* ... and process the signing request results in an output:
{{{
Please make sure the following details are correct before proceeding any further.
CommonName: server1.example.com
subjectAltName: DNS:server1.example.com
subjectAltName: DNS:mail.example.com
subjectAltName: DNS:www.example.com
subjectAltName: DNS:www.sub.example.com
subjectAltName: DNS:mx.example.com
subjectAltName: DNS:support.example.com
No additional information will be included on certificates because it can not be automatically checked by the system.
[submit]
}}}
* results in
{{{
Below is your Server Certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
}}}
* copy & paste the text including
{{{
"-----BEGIN CERTIFICATE-----" -and-
"-----END CERTIFICATE-----"
}}}
* into a new file, e.g. srvr1-example-com-2048-signed-class1.key
=== Verify the Signed (Public) Keyfile with OpenSSL ===
* the openssl command
{{{
openssl x509 -text -in srvr1-example-com-2048-signed-class1.key -noout
}}}
* will result in
{{{
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4451 (0x1163)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
Validity
Not Before: Sep 21 14:41:43 2012 GMT
Not After : Oct 21 14:41:43 2012 GMT
Subject: CN=server1.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.cacert.org/
X509v3 CRL Distribution Points:
URI:http://crl.cacert.org/revoke.crl
X509v3 Subject Alternative Name:
DNS:server1.example.com, othername:<unsupported>, DNS:mail.example.com, othername:<unsupported>, DNS:www.example.com, othername:<unsupported>, DNS
:www.sub.example.com, othername:<unsupported>, DNS:mx.example.com, othername:<un
supported>, DNS:support.example.com, othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
[...]
}}}
=== Further Readings ===
* [[TutorialsHowto|Tutorials - How To]]
* [[http://www.tlienhard.com/cacert/ExchangeCAcert.htm|HowTo create SAN certificates for use with Microsoft Exchange]]
----
. CategoryCommunity
. CategoryConfiguration
. CategoryGuide
. CategorySoftware
. CategorySupport