Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Task 2 . c . Certificate with multiple namesMany websites have different URLs. For example, www . example.com, www . example.org, example. com all point
Task c Certificate with multiple namesMany websites have different URLs. For example, wwwexample.com, wwwexample.org, example. com all point to the same web server. Due to the hostname matching policy enforced by most TLS client programs, the common name in a certificate must match with the servers hostname, or TLS clients will refuse to communicate with the server.To allow a certificate to have multiple names, the X specification defines extensions to be attached to a certificate. This extension is called Subject Alternative Name SAN Using the SAN extension, its possible to specify several hostnames in the subjectAltName field of a certificate.To generate a certificate signing request with such a field, we can use a configuration file, and put all the necessary information in this file the PKI lab shows how you can do everything in the command line The following configuration file gives an example. It specifies the content for the subject field and add a subjectAltName field in the extension. The field specifies several alternative names, including a wildcard name bankcom. It should be noted that the field must also include the one from the common name field; otherwise, the common name will not be accepted as a valid name.Listing : server openssl.cnf req prompt no distinguishedname reqdistinguishednamereqextensions reqext reqdistinguishedname C USST New YorkL SyracuseO XYZLTDCN wwwbankcom reqext subjectAltName @altnamesaltnamesDNS wwwbankcomDNS wwwexample.com DNSbankcomWe can use the following "openssl req" command to generate a pair of publicprivate keys and a certificate signing request:When the CA signs a certificate, for the security reason, by default, it does not copy the extension field from the certificate signing request into the final certificate. In order to allow the copying, we need to change the openssls configuration file. By default, openssl uses the configuration file openssl.cnf from the usrlibssl directory. Inside this file, the copy extensions option is disabled commented out We do not want to modify this systemwide configuration file. Let us copy it file to our own folder, and rename it as myopenssl.cnf We then uncomment the following line from this file:Now, we can use the following program to generate the certificate servercrt for the server from the certificate signing request servercsr and all the extension fields from the request will be copied to the final certificate. openssl req newkey rsa:config serveropenssl.cnf batch shakeyout server.key out server.csr # Extension copying option: use with caution. copyextensions copy openssl ca md shadays config myopensslcnf batch in server.csr out server.crt cert cacrt keyfile cakey
Task c Certificate with multiple namesMany websites have different URLs. For example, wwwexample.com, wwwexample.org, example. com all point to the same web server. Due to the hostname matching policy enforced by most TLS client programs, the common name in a certificate must match with the servers hostname, or TLS clients will refuse to communicate with the server.To allow a certificate to have multiple names, the X specification defines extensions to be attached to a certificate. This extension is called Subject Alternative Name SAN Using the SAN extension, its possible to specify several hostnames in the subjectAltName field of a certificate.To generate a certificate signing request with such a field, we can use a configuration file, and put all the necessary information in this file the PKI lab shows how you can do everything in the command line The following configuration file gives an example. It specifies the content for the subject field and add a subjectAltName field in the extension. The field specifies several alternative names, including a wildcard name bankcom. It should be noted that the field must also include the one from the common name field; otherwise, the common name will not be accepted as a valid name.Listing : server openssl.cnf req prompt no distinguishedname reqdistinguishednamereqextensions reqext reqdistinguishedname C USST New YorkL SyracuseO XYZLTDCN wwwbankcom reqext subjectAltName @altnamesaltnamesDNS wwwbankcomDNS wwwexample.com DNSbankcomWe can use the following "openssl req" command to generate a pair of publicprivate keys and a certificate signing request:When the CA signs a certificate, for the security reason, by default, it does not copy the extension field from the certificate signing request into the final certificate. In order to allow the copying, we need to change the openssls configuration file. By default, openssl uses the configuration file openssl.cnf from the usrlibssl directory. Inside this file, the copy extensions option is disabled commented out We do not want to modify this systemwide configuration file. Let us copy it file to our own folder, and rename it as myopenssl.cnf We then uncomment the following line from this file:Now, we can use the following program to generate the certificate servercrt for the server from the certificate signing request servercsr and all the extension fields from the request will be copied to the final certificate. openssl req newkey rsa:config serveropenssl.cnf batch shakeyout server.key out server.csr # Extension copying option: use with caution. copyextensions copy openssl ca md shadays config myopensslcnf batch in server.csr out server.crt cert cacrt keyfile cakey
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started