subjectAltName

This topic contains 6 replies, has 0 voices, and was last updated by  Lastryko 5 years, 3 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #43192

    Lastryko
    Member

    Please add a feature to set subjectAltName in X509 certificate of a host.

    #52068

    gordonf
    Member

    It’s up to the CA to add Subject Alternative Name objects to a cert. So as long as it’s possible for Zeroshell to create CSRs as opposed to self-signed certs, a CA can add additional DNS names and IP addresses to the cert.

    #52069

    Lastryko
    Member

    I don’t really get your point.
    If you tell me that it’s more convenient generating CSR and passing it to external CA
    than providing value of subjAltName in a host creation form
    then I doubt if I can agree with you.

    #52070

    gordonf
    Member

    I see I didn’t make much sense there.

    I run my own certificate authority, using Windows Server granted, but I’ve done the same thing in OpenSSL. When a certificate authority signs a CSR to generate a cert, they can add details that the original CSR requester didn’t ask for, including alternative names. I don’t use self-signed certs if I can help it, preferring to use an in-house CA. I also don’t remember any CSR generator that lets one request SAN attributes.

    OK, Cisco IOS can do it, but my experience is both OpenSSL and Windows Cert Services ignores it. I’ve had to specify SAN attributes when signing the CSRs coming from that.

    Were you asking for Zeroshell to be able to create a self-signed certificate with SAN attributes added? I’m finding plenty of examples for IIS6 and IIS7 but not for what Zeroshell uses as a web server. But you could set up an in-house CA with OpenSSL or Certificate Services and make up SAN certs in the meantime, until Zeroshell gets the feature.

    #52071

    Lastryko
    Member

    @gordonf wrote:

    […]
    Were you asking for Zeroshell to be able to create a self-signed certificate with SAN attributes added? […]

    No, I don’t need a self-signed certificate with SAN attribute.
    As you know, Zeroshell contains a simple CA.
    It can issue a regular cert for a host.
    I have a small deployment of a couple of laptops with a wireless network.
    I’m using a build-in RADIUS server with EAP-TLS authentication.
    For that reason and according to MS kb814394, the RADIUS server
    needs a SAN attribute defined.

    L

    #52072

    PatrickB
    Member

    Hello.

    I have a LAN with a local domain managed by a ZS device, with a local CA, and this LAN master generates the Host certificates I need.

    I wrote: a local domain with a local CA, because the price to pay for all the certificates (or a wildcard) on a Internet domain would be prohibitive and pure waste of money in this case.

    It is natural to have shortcut names for local services (webdav, caldav etc.) and when several of them are provided by the same host, a single certificate with alternative names would be much handier to setup.

    Thanks, Best regards.

    #52073

    redfive
    Participant

    You can use openssl via cli , or xca (with gui) for certificate generation and management , then import the cert with extensions you need in Zs.
    Greetings and happy holidays

    #52074

    PatrickB
    Member

    Hello.

    I will install it, recover my existing CA notably, and test asap.

    If it really works as it looks, it is a very good solution.

    Indeed it may not be the best idea to keep the CA on the device that is in first line on the LAN.

    Best regards.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.