Date: Fri, 10 Aug 2001 14:02:32 -0400 (EDT)
From: Victor Danilchenko <danilche at cs.umass.edu>
Subject: Notes on generating certificates with multiple canonical names
Hi,
I have had to deal with this problem, and I thought I'd share in
the hopes that someone might find this useful.
When Netscape originally designed SSL2, certain rules were
implemented to permit shell-style glob syntax in some fields, most
notably Common Name (CN) field, of the SSL certificates. Since then,
everyone and their grandmother implemented SSL, but the parsing of the
CN field still differs radically between vendors.
There are two major styles: canonical Netscape implementation
using globbing expressions (for more gory details, see
http://home.netscape.com/eng/security/ssl_2.0_certificate.html), which
uses only one CN field but permits multiple values to be specified in it
using wildcards and various other techniques; and MS-style
implementation, which uses multiple fields without globbing. Microsoft
does not officially support globbing expressions in CN fields, but some
versions of IE browser seem to permit them anyway. Outlook Express
however does not support such expressions, only accepting multiple
literal CN fields.
Therefore, to achieve maximum compatibility, we have ended up
setting the first CN field to be Netscape-style globbing expression, and
all the other CN fields to be the literal expansions of the glob. So,
for example, the relevant section of our stunnel.cnf file looks like
this (we use Stunnel to provide SSL-wrapped POP and IMAP services):
0.commonName = Set of common names (Netscape-supported
expansion)
0.commonName_default = (freya.|mail.|)cs.umass.edu
1.commonName = Common Name (FQDN of your server)
1.commonName_default = freya.cs.umass.edu
2.commonName = Common Name (DNS alias of your server)
2.commonName_default = mail.cs.umass.edu
3.commonName = Common Name (DNS alias of your server)
3.commonName_default = cs.umass.edu
This layout satisfied Netscape (the first field), and Outlook
(the remaining fields).
|
