ssl certificate for multiple hostnames

Liutauras Adomaitis liutauras.adomaitis at gmail.com
Thu Jun 11 13:28:44 CEST 2009


On Thu, Jun 11, 2009 at 9:25 AM, Alain Spineux<aspineux at gmail.com> wrote:
> On Tue, Jun 9, 2009 at 2:55 PM, Liutauras
> Adomaitis<liutauras.adomaitis at gmail.com> wrote:
>> Hi all,
>>
>> I want to create ssl certificate for smtp, pop3, imap and http
>> services on kolab box which will accept multiple hostnames. As in
>> http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/
>> it should be possible, isn't it?
>>
>> I'm not very good at understanding all the ssl stuff, but trying to ...
>> Qustions:
>> - Is it possible to have certificate which accepts multiple hostnames
>
> Yes, you can ! But you cannot "host" multiple certificate on the same
> IP and port because the certificate is the first thing the server
> send, before to know to witch site you want to connect !
> Most of the cheap certificate you will buy on the internet will not
> allow you to manage multiple domain !
>
>> (I have DNS server inside my lan and it is hosting kolab.local domain,
>> but form outside I use kolab.com domain)
>
> This is what you mean by multiple hostname ?

Yes

>> - The link I refer to is saying  that I have to:
>>  -- modify openssl.cnf file
>>  -- create certificate request .csr
>>  -- create selfsigned ca.
>> Should I use kolab_ca.sh for that purpose?
>> Which openssl.cnf file should I modify ( I see that scripts are
>> creating temporary cnf files, so maybe edit scripts instead of
>> /kolab/etc/openssl/openssl.cnf file)
>
> Sorry I don't do this every day, cannot help you so easily

Ok, I was impatient and tried myself. Investigating kolab-bootstrap
script I made shell script for that purpose:
---
#!/kolab/lib/openpkg/bash

/kolab/etc/kolab/kolab_ca.sh -newca MYHOSTNAME
/kolab/etc/kolab/kolab_ca.sh -newkey MYHOSTNAME /kolab/etc/kolab/key.pem
/kolab/etc/kolab/kolab_ca.sh -newreq MYHOSTNAME
/kolab/etc/kolab/key.pem /kolab/etc/kolab/newreq.pem
/kolab/etc/kolab/kolab_ca.sh -sign /kolab/etc/kolab/newreq.pem
/kolab/etc/kolab/cert.pem

chgrp kolab-r /kolab/etc/kolab/key.pem /kolab/etc/kolab/cert.pem
chmod 0640 /kolab/etc/kolab/key.pem /kolab/etc/kolab/cert.pem
      cp /kolab/etc/kolab/ca/cacert.pem /kolab/etc/kolab/kolabserver-ca.crt
      chmod 0644 /kolab/etc/kolab/kolabserver-ca.crt
---
Then if I delete /kolab/etc/kolab/ca directory I can use this script
to generate new certificate. To create multihost certificate you have
to edit /kolab/etc/kolab/kolab-ca.sh script to make changes to
kolabssl.cnf file which is created by script on the fly. I could
create multihost script and it showed that there are alternative DNS
names included in certificate, but outlook was not working -
"certificate is not valid for the requested usage". I reverted back my
changes and created certificate with other FQDN (no altternative DNS
names) and it was ok, Outlook is working with no complains after
importing certificate to windows.

>> What should I know more? maybe running kolab_ca.sh will make some
>> undesirable changes.
>> How to do that to have minimum effect on running services?
>
> If you self sign you own certificate, you need to register your CA
> certificate on all your client applications (like your browser).
> Why not just trust your current certificate instead ! Just ignore the
> message about the untrusted CA and accept the certificate.
> Tell all your users to do the same.

I'm not sure if I understood your last sentences, but there is no
problem to accept certificate with browser, because it is permanent,
but it is a problem with outlook, which is complaining about untrusted
certificate everytime you start it. The only solution I found is to
import /kolab/etc/kolab/kolabserver-ca.crt certificate manually/

Liutauras




More information about the users mailing list