[Pki-users] DogTag 1.3 and Subject Alternate Name

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Aug 31 18:43:02 UTC 2010 

I have installed DogTag 1.3 Certificate Server (CA and RA) components on 
Fedora Core 11.

I want to configure a server certificate with a Subject Alternate Name.


I used openssl to create a private key and a certificate signing request 
on the server in question.

     openssl genrsa -out server1.key -des3 1024
     openssl req -new -key server1.key -out server.csr


I am prompted along the way to include an e-mail address and subject 
alternate name.  Both are permitted but optional in my openssl.cnf file.

I can look at the csr with
     openssl req -in server.csr -text




By default, openssl by default recreates a req with the following line

Subject: C=US, ST=California, L=MyCity, O=MyCompany, OU=IT, 
CN=server.company.com/subjectAltName=www.company.com/emailAddress=mymail at company.com 




You can see that e-mail and SAN are part of the CN attribute.

I went to the "Certificate System RA Services Page" 
(https://myserver:12890) - > SSL End Users Services -> Server Enrollment 
-> Request Submission.   I pasted the contents of the csr file into the 
web page.   The administrator (i.e. me) gets e-mail notification  of a 
certificate request, and follows the link to approve it.  However if I 
have included either e-mail or SAN the request will fail because the 
subject name doesn't match.

CA: Request Rejected - Subject Name Not Matched
E=mymail at company.com,CN=server.company.com,OU=IT,O=My 
Company,L=MyCity,ST=California,C=US




If I compare the dogtag error message to the original csr file I can see 
that dogtag expects a different syntax for e-mail.    Dogtag expects it 
as a separate "E" attribute (It still seems to have translated the 
attributes  appropriately but then complains the subject doesn't 
match.)     I can work around this by either omitting e-mail in the csr 
altogether or explicitly setting the subject attribute with the "openssl 
req -subj"

-> openssl req -new -key server.key -out server.csr -subj 
"/E=mymail at company.com,CN=server.company.com,OU=IT,O=My Company 
Name,L=MyCity,ST=California,C=US"
Enter pass phrase for server.key:
Subject Attribute E has no known NID, skipped
->


However, I can't figure out how to make this work for the Subject 
Alternate Name.

DogTag rejects the certificate with

CA: Request Rejected - Subject Name Not Matched E=mymail at company.com 
,2.5.29.17=www.company.com,CN=server....


Is there a "NID" parameter than dogtag expects for SAN?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100831/9a1e1aa9/attachment.htm>

More information about the Pki-users mailing list