The host must be accessible using two different hostnames - one for external IMAPs via our gateway, and one for internal IMAPs with the host's name on our internal network. This is causing problems with SSL certs, and I was hoping there was a way to create a single certificate with multiple allowed hostnames.

Inevitably, after I posted I found some more information. It hasn't really helped, unfortunately.


I've now created a cert with "Alternative Names" defined - the cert contains:

Certificate:
    ...
    Data:
        ...
        X509v3 extensions:
            ...
            X509v3 Subject Alternative Name:
                DNS:mail.localnet, DNS:localhost, \
                DNS:access.postnewspapers.com.au

Unfortunately, the mail clients I tested with - Mozilla 1.4 and Eudora 5.2 - don't seem to see the alternative names, though they still accept the name listed in the CN as expected. The OpenSSL config file used contained:

[ usr_cert ]
...
[EMAIL PROTECTED]

[ subjectaltname ]
DNS.1=mail.localnet
DNS.2=localhost
DNS.3=access.postnewspapers.com.au

and this seems to have created the cert as expected - things just won't use the entries defined in subjectAltName. The (private to the company) root CA cert is installed and trusted by the clients already, so that won't be the problem.

I haven't been able to find any info on google etc, hence my post here. I'll be quite happy to write up something about how to deal with this if I ever find out...

Craig Ringer




Reply via email to