Thursday, December 31, 2009

Subject Alternative Name with GSKit

Subject Alternative Name's (SANs) allow you to obtain a single SSL certificate to protect multiple hosts. So lets say you have two LDAP servers (server1 and server2) and you want to enable SSL, but you want to have clients reference only one DNS name (ldapserver) to connect to any of the LDAP servers. Likely you will have a load balancer of some kind in front of the LDAP. One way to do the Certificate Signing Request (CSR) is to specify "ldapserver" in the host name field and then specify "server1" as the SAN. The problem is IKeyMan doesn't have a way of including a SAN in the CSR.

This is not a problem for a couple of reasons. For one, you can use the command line tools with GSKit to create a CSR containing a SAN. While the GUI lacks this capability it seems the command line supports it:

gsk7cmd -cert -create -db /keys/tds.kdb -pw password -label junk -dn "cn=tds1,o=bigco,c=us" -san_dnsname tdswin1,tdssrv1 -expire 3653

The other option is to create the CSR using IKeyMan without the SAN. When you post the CSR certificate into the web form at Verisign or whatever other CA you choose, you should be able to use the CA form to specify the SAN. This way the signed version of the certificate you receive back from the CA will contain the SAN. IkeyMan supports receiving the signed certificate back into the key database with the SAN included so this will work fine. In fact this is the easiest way to do this. For your LDAP servers it is best to create the Key database using IKeyMan and issue the CSR from there. That way you can do the Receive Certificate operation later when you receive the signed certificate back from the CA.