Certificate server does not support PKCS #10 Certificate extensions for a CSR

  • Document ID:3421614
  • Creation Date:13-Nov-2006
  • Modified Date:30-Apr-2012
    • Micro Focus Products:
      eDirectory

Environment


Novell Certificate Server (PKIS) 3.1.1
Novell eDirectory 8.7.3.8 for All Platforms
Novell eDirectory 8.8 for All Platforms
Novell iManager 2.6

Situation

Creating a Certificate Signing Request for an external 3rd party certificate authority requires the following steps from within iManager 2.6
  • Select the "Novell Certificate Server" Roles and Tasks menu
  • Select Create Server Certificate
  • Select Server and Provide a Certificate Nickname
  • Choose the custom method and click next
  • Select External certificate authority
  • Define Key Size and Usage
  • Provide Certificate parameters as required
The "Provide Certificate parameters template" does not include any PKCS #10 certificate extensions as specified in RFC2985 to be included in the Certificate Signing Request like an Alternative Subjectname

Resolution

This issue has been addressed to engineering

As a workaround you can create a Certificate Signing Request using OpenSSL on a SuSE Linux system as in the following example:
  • Modify the "/etc/ssl/openssl.cnf" configuration file in order to generate a Certificate Signing Request (CSR) assigning a Directory Name as Subject Alternative Name:
.........
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=dirName:dir_sect

[ dir_sect ]
C=DE
O=Novell
OU=Security
CN=SERVER_NAME
.........
.........
  • Generate a Certificate Signing request by using the following command:

    Example:
    openssl req -newkey rsa:2048 -keyout ServerKey.pem -out ServerReq.pem
  • Send the certificate signing request which has been generated (ServerReq.pem)
    to the Certificate Authority of your choice

  • As soon as the certificate authority returned the issued server certificate back to you
    store the this into a PEM file (ServerCert.pem)

  • Create a PKCS #12 envelope using the issued server certificate
    and any root certificate belonging to the trust chain

    Example:
    openssl pkcs12 -export -in ServerCert.pem -inkey ServerKey.pem -certfile RootCert.pem -out ServerCert.pfx
    (You have to provide a password to protect the pfx file)

  • Import the pfx file as Key Material object (KMO) assigned to the required server
    by using the "Create Server Certificate" Task and Role menu
    • Select Server and Provide a Certificate Nickname
    • Choose the import method and click next
    • Choose the pfx file which has been generated and provide the assigned password

Status

Reported to Engineering

Additional Information

Note:
  • Based on the policy used by the certificate authority the requested certificate extensions might not get added to the issued certificate
  • For further details on how to use openssl use the"www.openssl.org" web pages