Re: Root Certificate

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On 1/24/06 3:13:13 PM, in article BFFC10A9.7B48%kledgister@xxxxxxxxxxxx,
"Kevin Ledgister" <kledgister@xxxxxxxxxxxx> wrote:

> On 1/24/06 2:45 PM, in article BFFBD1FE.948D7%nathanh@xxxxxxxxxxxxxxxxxxxx,
> "Nathan Herring [MSFT]" <nathanh@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> On 1/24/06 7:05:53 AM, in article BFFB9E71.708E%kledgister@xxxxxxxxxxxx,
>> "Kevin Ledgister" <kledgister@xxxxxxxxxxxx> wrote:
>>
>>> I checked out our issuer's certificate and the common name listed in the
>>> Subject Name and Issuer Name is different and we don't have Subject
>>> Alternative Name.
>>>
>>> Is it the fact that the common name is different why I am experiencing these
>>> problems?
>>
>> Correct.
>>
>>> Is there anything I can do on the client end to fix this? My IT dept. is
>>> swamped and they promised to look at it but couldn't guarantee a fix.
>>
>> I haven't validated it, but I believe there was a previous post by Chris
>> Ridd which may do the trick.
>>
>>> Are the updates to Entourage to fix some of these issues coming in an update
>>> or a whole new release?
>>
>> The updates will not fix your issue -- Entourage is operating by design with
>> regard to your issue. All but one of the fixes are coming in an update.
>>
>> -nh
>
> I tried Chris Ridd's suggestion but it didn't work for Exchange (but it
> helped for ldap).
>
> In my example, the common names of the certificate do not match and neither
> of the common names are the same as the server name used in the OWA URL.
> (For example, the common name is EXCH1234 and MCWEB but the OWA URL is
> https://webmail.mycompany.com/exchange).
>
> Should the common name be webmail.mycompany.com and must both common names
> match?

The common name should be specific to the server. I would suggest that the
common name remain "EXCH1234.fully.qualified.domain.name" and you add a
subject alternative name extension with a FQDN entries of
"EXCH1234.fully.qualified.domain.name" and "webmail.mycompany.com" -- the
duplication is just for explicitness, that the common name really is a FQDN
and not some other random name. That way, every server can have its own
certificate, but all of them with the subjectAltName extension can support
accesses via the OWA URL as well.

I'd also suggest using an IP address of the server in the subject
alternative name (so long as it's an actual internet IP address statically
assigned to the machine), but Entourage's SSL code doesn't do subjectAltName
IP matching in the current release, and there's actually a bug (which will
be addressed in an upcoming update) which causes certificates with an IP
address subjectAlternativeName entry to be mis-parsed, considered to be
badly formed, and thus treated as untrusted. As it is, I'd hold off until
the update, and even then, you still won't be able to securely connect to
the server by IP address.

Unfortunately, the stock installation of Microsoft certificate server
doesn't allow you to create certificates with a subject alternative name. If
you're using it to generate the certificates, you have to tweak some
settings first. I found a summary of how to do it here for LDAP (though it's
identical for your purpose):
<http://guy.netguru.co.il/categories/6-Security>. The steps use a lot of
information from
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/advcert.mspx> which is more of a reference than a How-To.

If they're using certtool, I don't think it'll be able to generate the
request -- they'll have to use openssl req (or just req(1)), though I'm not
quite sure how to specify the additional subject alternative name item.

> Sorry to be a pain on this but I want to inform our IT department with
> precise information.

Understandable.

-nh

--
Nathan Herring
MacBU SDE/Development

This posting is provided ³AS IS² with no warranties, and confers no rights.

.

Relevant Pages

  • Re: IIS / SSL + Pages not Loading (HTTPS)
    ... situation and they argued that we had to buy one cert for each server ... > The browser request has to match the registered common name exactly. ... >>allow us to create or request more than one certificate with the same ...
    (microsoft.public.inetserver.iis.security)
  • [kde] kmail cannot verify authenticity of email server
    ... Suddenly kmail is unable to verifiy authenticity of my ISP's email server, ... "The server failed authenticity check. ... Certificate chain: imailhost.worldnet.att.net ... Common name: VeriSign Claass 3 Secure Server CA ...
    (KDE)
  • Re: Certificates on .local domain
    ... cert common name and point it to your server. ... Could you tell me also how can I configure FQDN like yours to my SBS ... The "common name" of the certificate should match whatever DNS name ...
    (microsoft.public.inetserver.iis.security)
  • Re: Root cert Error - If no further feedback how do I file a bug with MacBU?
    ... How do you check the certificate for the SubjectAltName and how do you ... I understand that the common name and SubjectAltName need to ... > problem (and moreover, the wrong certificate problem, that the root ...
    (microsoft.public.mac.office.entourage)
  • Re: "Common Name" of iSeries hosted website?
    ... then the common name would be www.mysite.com. ... I get a "Security Alert" message when I use the SSL with the warning being "The name on the security certificate does not match the name of the site.". ... Verisign says the solution involves the "Common Name" of the certificate not matching the configuration of my website. ...
    (comp.sys.ibm.as400.misc)