SSL Cert. Request with multiple CNs?
Greetings to all of the Gurus out there!
Is it possible to generate a Certificate Request within iMS (version 5.2) that will handle multiple CNs? In other words, we could request a certificate that would work for mail.foo.com, pop.foo.com, imap.foo.com, etc., etc. Or, failing that, is it possible to somehow create and register multiple certs to accomplish this?
I know how to do this by using OpenSSL, but if I do that, then iPlanet doesn't know about the private OpenSSL key that I used to generate the certificate.
Any help is appreciated.
[576 byte] By [
KevinTower] at [2007-11-25 8:44:38]
Did you ever get an answer to this? I'm interested in doing the same thing.Thanks,Bob Jones
> Greetings to all of the Gurus out there!
>
> Is it possible to generate a Certificate Request
> within iMS (version 5.2) that will handle multiple
> CNs? In other words, we could request a certificate
> that would work for mail.foo.com, pop.foo.com,
> imap.foo.com, etc., etc. Or, failing that, is it
> possible to somehow create and register multiple
> certs to accomplish this?
I know you definitely can't do it with multiple certs. Unfortunately, most of the iPlanet products only let you apply one cert to the product. We're basically telling our users to just use one name for both HTTPS and IMAPS. SMTPS is running on two different machines that are sharing a cert(using the copy cert7 and key3 db's trick).
I'd like to revive this thread, since it appears that there originally was not a solution posted, i too am interested in whether JES msg-serv has made accomodations for this.
I will restate the question:
How would one go about configuring ssl within a standalone JES msg-serv to support multiple certs (or one cert with multiple names (cn)) in order to achieve settings for the different protocols such that:
smtp.foo.com
imap.foo.com
webmail.foo.com
would be available? Is this possible?I don't find much regarding this topic after searching and i suspect there would be a big interest in this.
-john
Hi,
Are you using an MMP & MEM for user access or do you just have a stand-alone messaging installation to provide access. If the installation is stand-alone I don't know of a way to specify more then one certificate for each service.
Personally in this case I would just use mail.foo.com and be done with it (saves on costs if nothing else).
Regards,
Shane.
> Hi,
>
> Are you using an MMP & MEM for user access or do you
> just have a stand-alone messaging installation to
> provide access.
We at this time are using a stand alone instance of msg-serv (JES 6.2).
If the installation is stand-alone I
> don't know of a way to specify more then one
> certificate for each service.
So if I recall prperly, based on iMS 5.2 experience, I can insert 1 Cert in the msg-serv and this is used by all services: smtp,imap,http. What I am not sure of, and this is where someone who has taken this further, is if I am obligated to use the hostname that the msg-serv is running on as my cert's cn?
In my case the msg-serv instance is running on the host: kady-amd.education.ucsb.edu and i would prefer to have 1 cert that was listed as from mail.education.ucsb.edu
I am wondering if this will require at the OS level, a virtual hostname set up or can I do this with msg-serv ?
I am curious what tricks are available, or that folks might have tried.
-john
Hi,
> If the installation is stand-alone I
> > don't know of a way to specify more then one
> > certificate for each service.
>
> So if I recall prperly, based on iMS 5.2 experience,
> I can insert 1 Cert in the msg-serv and this is used
> by all services: smtp,imap,http.
Correct - for a stand-alone installation.
> What I am not sure
> of, and this is where someone who has taken this
> further, is if I am obligated to use the hostname
> that the msg-serv is running on as my cert's cn?
No you aren't obligated to use the hostname. You can use any name you want - you specify the name to be presented to clients during the certificate request stage.
> In my case the msg-serv instance is running on the
> host: kady-amd.education.ucsb.edu and i would prefer
> to have 1 cert that was listed as from
> mail.education.ucsb.edu
Yep sounds like a plan to me. This way your users only have to remember one address. Also if you decide to expand later (e.g. add in a MMP proxy and multiple backend hosts) you can just copy the certificate database files to the MMP, repoint the mail.education.ucsb.edu IP address and away you go.
> I am wondering if this will require at the OS level,
> a virtual hostname set up or can I do this with
> msg-serv ?
All you need is the DNS record for mail.education.ucsb.edu to point at the IP address of the standalone system.
Regards,
Shane.
We have since moved to using a single name for all services (with MMP and MEM). However for many years we used one cert for Msg 5.2 and then 6.1 with multiple Subj Alt Names (not sure if it's the same as CN's in the cert world).Messaging doesn't seem to care, it's the email clients/browsers that tend to complain (Eudora is famous for this and IE sometimes has issues). We had a wildcard cert as the primary name and then created other Subj Alt. Names for the other access names. Never had any issues with installing the cert or messaging complaining about it.
