[openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?
Michael Ströder
michael at stroeder.com
Thu Apr 30 18:02:53 UTC 2015
Alexandre Arantes wrote:
> one of them asked me why did I choose not to add the client hostname to the
> Client Certificate, thus making it usable only by that specific client.
There are no standardized naming rules for client certs like the TLS server
hostname check implemented at the client side.
You have to define and implement your own naming/mapping rules at the server side.
> And so I started searching online for ways to do it, but found nothing.
No wonder because there's no standard way.
Several possibilites for client cert "names":
- subject DN
- issuer-DN + serial no.
- cert fingerprint
- Any naming convention stuffed into subjectAltName extension
Some inspiration in various server software:
FakeBasicAuth in Apache's mod_ssl:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions
Certificate Mappers in OpenDJ:
http://docs.forgerock.org/en/opendj/2.6.0/configref/certificate-mapper.html
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150430/bcaf999e/attachment-0001.bin>
More information about the openssl-users
mailing list