IBM Support

Does Domino HTTP allow SSL certificates with SubjectAltName?

Technote (troubleshooting)


Problem

Subject Alternative Names, allow ssl certificates to secure the same IP address accessed over different DNS hostnames on the same ssl site certificate.

For example, a SSL certificate could have these values present in the subjectAltName attribute:
company.com
mail.company.com

Web Browsers will check any alternate names specified in addition to the certificate common name, when performing a certificate security checks. This functionality is addressed on RFC822 and are Extensions of the x.509 certificate.


Cause

Unfortunately The Domino Certificate Authority does not have a mechanism to generate certificates with these type of x.509 extensions, and similarly is unable to create a Certificate Signing Request (CSR) that identifies a SubjectAltName.

However some Certificate Authorities allow you to specify the SubjectAltName after creating the certificate request. This allows you to add the Subject Alternative Names outside of generating a CSR


Resolving the problem

A certificate from a third party CA containing SubjectAltName can be successfully merged into a domino kyr keyfile using the Server Certificate Admin database. This allows domino to use a certificate implementing alternative DNS names, granted they are signed by a third party certificate authority.

SPR # JLBS6BFLHF has been created as an enhancement request to develop mechanisms within Domino to better support these x.509 certificate extensions.

Related information

How to set up SSL using a third-party CA

Document information

More support for: IBM Domino
Security

Software version: 8.0, 8.5, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1304265

Modified date: 25 November 2013


Translate this page: