Home / server / Questions / 307122
Accepted
JMW
Asked: 2011-09-01 23:42:48 +0800 CST

openldaps wildcard certificate not accepted

  • 772

my wildcard certificate doesn't get accepted with ldap 2.4.23. when i try to connect i get the following error:

TLS certificate verification: subject:
OID.2.5.29.17=DNS:*.domain.com,CN=*.domain.com,OU=LALALA,O=LALALA S.A.,L=LALALA,ST=LALALA,C=XX,
issuer: [email protected],CN=LALALA Root C.A.,O=LALALA,L=LALALA,ST=LALALA,C=XX,
cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256,
cache hits: 0, cache misses: 0, cache not reusable: 0
TLS: hostname (openldap1.domain.com) does not match common name in certificate (*.domain.com).

my certificate is: CN=*.domain.com AND subjectAltName=DNS:*.domain.com

How can I make it so that my certificate is accepted in LDAP?

ldap ssl openldap

1 Answers

  1. Best Answer

    first i've found a page saying that, wildcards in CN don't work with openldap and you have to use subjectAltName! (I can't find that page anymore...)

    unfortunately, i've created the certificate like this, which is not the subjectAltName, that you need:

    [ req_distinguished_name ]
subjectAltName                =Alternativer Name 1
subjectAltName_default        =DNS:*.domain.com

    that's why it is displaying OID.2.5.29.17 instead of subjectAltName...

    i've found the answer for subjectAltName on: http://wiki.cacert.org/VhostTaskForce

    After studing of "RFC 2459 - Section 4.2.1.7: Subject Alternative Name" and crossreferencing to the result of isakmpd's certpatch(8) the following should work: [...] To accomplish such an CSR the following entries are needed in the openssl.cnf (please note: I only added the relevant parts for this Attribute)

    [ req ]
req_extensions          = v3_req
[ v3_req ]
subjectAltName          = DNS:www.example.com
    • 0