- This topic is empty.
November 12, 2011 at 3:44 pm #43192
Please add a feature to set subjectAltName in X509 certificate of a host.March 21, 2012 at 6:14 pm #52068gordonfMember
It’s up to the CA to add Subject Alternative Name objects to a cert. So as long as it’s possible for Zeroshell to create CSRs as opposed to self-signed certs, a CA can add additional DNS names and IP addresses to the cert.March 21, 2012 at 7:58 pm #52069
I don’t really get your point.
If you tell me that it’s more convenient generating CSR and passing it to external CA
than providing value of subjAltName in a host creation form
then I doubt if I can agree with you.March 24, 2012 at 5:08 am #52070gordonfMember
I see I didn’t make much sense there.
I run my own certificate authority, using Windows Server granted, but I’ve done the same thing in OpenSSL. When a certificate authority signs a CSR to generate a cert, they can add details that the original CSR requester didn’t ask for, including alternative names. I don’t use self-signed certs if I can help it, preferring to use an in-house CA. I also don’t remember any CSR generator that lets one request SAN attributes.
OK, Cisco IOS can do it, but my experience is both OpenSSL and Windows Cert Services ignores it. I’ve had to specify SAN attributes when signing the CSRs coming from that.
Were you asking for Zeroshell to be able to create a self-signed certificate with SAN attributes added? I’m finding plenty of examples for IIS6 and IIS7 but not for what Zeroshell uses as a web server. But you could set up an in-house CA with OpenSSL or Certificate Services and make up SAN certs in the meantime, until Zeroshell gets the feature.March 28, 2012 at 5:54 pm #52071
Were you asking for Zeroshell to be able to create a self-signed certificate with SAN attributes added? […]
No, I don’t need a self-signed certificate with SAN attribute.
As you know, Zeroshell contains a simple CA.
It can issue a regular cert for a host.
I have a small deployment of a couple of laptops with a wireless network.
I’m using a build-in RADIUS server with EAP-TLS authentication.
For that reason and according to MS kb814394, the RADIUS server
needs a SAN attribute defined.
LDecember 29, 2013 at 9:06 am #52072PatrickBMember
I have a LAN with a local domain managed by a ZS device, with a local CA, and this LAN master generates the Host certificates I need.
I wrote: a local domain with a local CA, because the price to pay for all the certificates (or a wildcard) on a Internet domain would be prohibitive and pure waste of money in this case.
It is natural to have shortcut names for local services (webdav, caldav etc.) and when several of them are provided by the same host, a single certificate with alternative names would be much handier to setup.
Thanks, Best regards.December 29, 2013 at 12:33 pm #52073redfiveParticipant
You can use openssl via cli , or xca (with gui) for certificate generation and management , then import the cert with extensions you need in Zs.
Greetings and happy holidaysJanuary 3, 2014 at 8:31 pm #52074PatrickBMember
I will install it, recover my existing CA notably, and test asap.
If it really works as it looks, it is a very good solution.
Indeed it may not be the best idea to keep the CA on the device that is in first line on the LAN.
- You must be logged in to reply to this topic.