Tuesday, 10 November 2015

IBM HTTP Server - Problem with Subject Alternate Names

I'm creating an end-to-end SSL/TLS configuration, using MS Active Directory as my Public Key Infrastructure (PKI) Certificate Authority (CA) Signer.

As part of this, I'm using the Subject Alternate Name (SAN) field in the Certificate Request, in order to allow me to specify BOTH the service name e.g. ibmbpm.uk.ibm.com and the server's host name e.g. nemdemo.uk.ibm.com to be specified.

This was what I'd specified when I created the Certificate Request: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label nemdemo.uk.ibm.com -dn "cn=ibmbpm.uk.ibm.com,dc=uk,dc=ibm,dc=com" -file /home/wasadmin/nemdemo.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname nemdemo.uk.ibm.com

This worked perfectly until ....

I see that when accessing the server using the service name rather than the host name.

After some digging, I realised that, whilst I can/should specify the service name as the Distinguished Name (DN), I also need to ensure that the Subject Alternate Name has ALL the values by which this certificate is going to be "known" i.e. BOTH the hostname(s) AND the service name.

Once I correctly specified BOTH: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label nemdemo.uk.ibm.com -dn "cn=ibmbpm.uk.ibm.com,dc=uk,dc=ibm,dc=com" -file /home/wasadmin/nemdemo.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "nemdemo.uk.ibm.com,ibmbpm.uk.ibm.com"

it just simply worked.

This developerWorks article: -

also helped: -

You can also request a subject alternative name (SAN) extension by using -san_dnsname or -san_ipaddr options (not supported in version 7). For example:

gsk8capicmd -certreq -create -db server.kdb -stashed -label "My CA signed certificate" -dn "CN=host.mycompany.com,OU=unit,O=company" -san_dnsname "host1.mycompany.com,host2.mycompany.com-san_ipaddr "," -file cert_request.arm

No comments: