[openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?

Michael Ströder michael at stroeder.com
Thu Apr 30 18:02:53 UTC 2015


Alexandre Arantes wrote:
> one of them asked me why did I choose not to add the client hostname to the
> Client Certificate, thus making it usable only by that specific client.

There are no standardized naming rules for client certs like the TLS server 
hostname check implemented at the client side.

You have to define and implement your own naming/mapping rules at the server side.

> And so I started searching online for ways to do it, but found nothing.

No wonder because there's no standard way.

Several possibilites for client cert "names":
- subject DN
- issuer-DN + serial no.
- cert fingerprint
- Any naming convention stuffed into subjectAltName extension

Some inspiration in various server software:

FakeBasicAuth in Apache's mod_ssl:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions

Certificate Mappers in OpenDJ:
http://docs.forgerock.org/en/opendj/2.6.0/configref/certificate-mapper.html

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150430/bcaf999e/attachment-0001.bin>


More information about the openssl-users mailing list