On 6/2/12 1:12 PM, David O'Callaghan wrote:
> Hi Arnau,
>
> On 06/02/12 12:01, Arnau Bria wrote:
>> Are you using X509v3 Subject Alternative Name DNS entry in your
>> gLite/EMI servcies's certificates?
>> Is there any policy which forbids the use of such openssl entry?
>
> It's actually recommended in the relevant OGF standard (also adopted by EU
> Grid PMA & IGTF):
>
> 3.3.12 subjectAlternativeName, issuerAlternativeName
>
> The subjectAlternativeName extension SHOULD be present for server
> certificates (including “host” and “service” certificates in the grid
> context), and, if present, MUST contain at least one FQDN in the dNSName
> attribute. If an end-entity certificate needs to contain an rfc822 email
> address, this rfc822 address SHOULD be included as an rfc822Name attribute
> in this extension only.
>
> For use with web server certificates, multiple FQDNs dNSName attributes can
> be added to allow name-based virtual hosting of secured web sites.
>
> (from http://www.ogf.org/documents/GFD.125.pdf)
>
> Kind regards,
>
> David
On a related note:
A well known alternative is to put the hostname in the (most significant)
Common Name field in the Subject DN. RFCs like RFC2818 deprecate this method
since May 2000.
Also the use of a Subject Alternative Name is not bound to OpenSSL. It is an
RFC specification since (at least) RFC2459 which dates back to January 1999.
Oscar
|