<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> Hello. My two centimes worth. Although I use OpenSSL in test, I've never used altnames - sorry. In prod we use a comercial CA. I find that if I want to use one or more altname(s) I must also specify the FQDN in the list of altnames. <blockquote> <blockquote> Common Name: wiki.a.b Alternate Name (DNS):<o:p></o:p> wiki.a.b wikisso.a.b </blockquote> </blockquote> Cdlt, Dave --- John A. Sullivan III wrote: <blockquote cite="mid:1262649852.4358.0.camel@jaspav.ssiservices.biz" type="cite"> <pre wrap="">On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: </pre> <blockquote type="cite"> <pre wrap="">2010/1/4 Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a>: </pre> <blockquote type="cite"> <pre wrap="">muzzol wrote: Did you specify the FQDN with the -h argument? What hostname did you give? The real hostname or the subjectAltName? </pre> </blockquote> <pre wrap="">i've used FQDN for CN and additional DNS entry for subjectAltName. anyway, i've found that i get a diferent cert when signing it with OpenSSL (openssl -req) and certutil (-C). i've created a sample CA with certutil and repeated all process. now i dont get that error anymore. is this a known behaviour? is there any limitations with subjectAltName and OpenSSL signing? anyone using OpenSSL to sign their DS certs? </pre> </blockquote> <pre wrap="">We are (via OpenCA) but we are also doing server side key generation - John -- 389 users mailing list <a class="moz-txt-link-abbreviated" href="mailto:389-users@redhat.com">389-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> </pre> </blockquote> </body> </html>