imaps with multiple hostnames

Craig Ringer craig at postnewspapers.com.au
Wed Nov 19 09:39:40 EST 2003


> The host must be accessible using two different hostnames - one for 
> external IMAPs via our gateway, and one for internal IMAPs with the 
> host's name on our internal network. This is causing problems with SSL 
> certs, and I was hoping there was a way to create a single certificate 
> with multiple allowed hostnames.

Inevitably, after I posted I found some more information. It hasn't 
really helped, unfortunately.

I've now created a cert with "Alternative Names" defined - the cert 
contains:

Certificate:
     ...
     Data:
         ...
	X509v3 extensions:
             ...
	    X509v3 Subject Alternative Name:
                 DNS:mail.localnet, DNS:localhost, \
		DNS:access.postnewspapers.com.au

Unfortunately, the mail clients I tested with - Mozilla 1.4 and Eudora 
5.2 - don't seem to see the alternative names, though they still accept 
the name listed in the CN as expected. The OpenSSL config file used 
contained:

[ usr_cert ]
...
subjectAltName=@subjectaltname

[ subjectaltname ]
DNS.1=mail.localnet
DNS.2=localhost
DNS.3=access.postnewspapers.com.au

and this seems to have created the cert as expected - things just won't 
use the entries defined in subjectAltName. The (private to the company) 
root CA cert is installed and trusted by the clients already, so that 
won't be the problem.

I haven't been able to find any info on google etc, hence my post here. 
I'll be quite happy to write up something about how to deal with this if 
I ever find out...

Craig Ringer






More information about the Info-cyrus mailing list