[jdev] subjectAltName in X.509 certificate

Vinod Panicker vinod.p at gmail.com
Tue Dec 20 02:46:24 CST 2005


Was looking at creating an X.509 certificate for the server, and was
reading the requirements in the RFC.  There are two places where
requirements are stated in RFC 3920 -

       The certificate SHOULD then be checked against the expected
       identity of the peer following the rules described in [HTTP-TLS],
       except that a subjectAltName extension of type "xmpp" MUST be
       used as the identity if present


       If a JID for any kind of XMPP entity (e.g.,
       client or server) is represented in a certificate, it MUST be
       represented as a UTF8String within an otherName entity inside the
       subjectAltName, using the [ASN.1] Object Identifier
       "id-on-xmppAddr" specified in Section 5.1.1 of this document.

So if I'm generating a cert for the server, then I need to specify the
domain that the server is serving, which is also a valid jid.  So does
that mean that I have to go according to the second para?

What the first para says isn't making sense to me.  AFAIK, there is no
"xmpp" extension for subjectAltName (did it mean to say otherName
entity? if so, what abt the oid?)


More information about the JDev mailing list