Hi Arnau,
On 06/02/12 12:01, Arnau Bria wrote:
> Are you using X509v3 Subject Alternative Name DNS entry in your
> gLite/EMI servcies's certificates?
> Is there any policy which forbids the use of such openssl entry?
It's actually recommended in the relevant OGF standard (also adopted by EU
Grid PMA & IGTF):
3.3.12 subjectAlternativeName, issuerAlternativeName
The subjectAlternativeName extension SHOULD be present for server
certificates (including “host” and “service” certificates in the grid
context), and, if present, MUST contain at least one FQDN in the dNSName
attribute. If an end-entity certificate needs to contain an rfc822 email
address, this rfc822 address SHOULD be included as an rfc822Name attribute
in this extension only.
For use with web server certificates, multiple FQDNs dNSName attributes can
be added to allow name-based virtual hosting of secured web sites.
(from http://www.ogf.org/documents/GFD.125.pdf)
Kind regards,
David
--
Ánra Taighde - Scoil na hEolaíochta Ríomhaireachta ⁊ na Staitisticí,
Coláiste na Tríonóide, Baile Átha Cliath, BÁC 2
Research Fellow - School of Computer Science & Statistics,
Trinity College Dublin, Dublin 2 T: +353 1 896 1720
|