On 18/09/2022 11:09, Stuart Henderson wrote:
On 2022-09-14, Goetz Schultz <dovecot.expire1225@suelze.de> wrote:
I had the same issue on TB102. Self-Signed certificates rejected despite having the CA installed correctly as authority. Turns out out that that TB now wants extension "Subject Alt Names". Added that and all works now. Seems another Google pressed issue being introduced (my Chromium had same issues and rejected certs before I added SAN).
It's not just a "Google pressed issue".
Seems I was a hasty in blaming .....
[..]
Practically this means you need to make sure that if you use self- signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
Thanks for the elaboration. I have it now under control to sign certs that have a SAN in the CSR.
Thanks and regards
Goetz R Schultz
---------------->8----------------
Quis custodiet ipsos custodes?
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/
----------------8<----------------
---------------------------->8------------------------------
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------ Unsigned message - no responsibillity that content is not altered