Howto add a Subject Alternative Name extension into a Certificate Signing Request

The current released version of Novell Certificate Server does not allow to add an x509v3 "Alternative Name" into a Certificate Signing request (CSR) if you like to use a 3rd party Certificate Authority (CA)

This issue has been addressed to engineering

As a current workaround you can use OpenSSL.

The following options can be defined as Subject Alternative Name using OpenSSL:

• subjectAltName=mail: => Email Address
• subjectAltName=DNS: => DNS name
• subjectAltName=IP: => IP address
• subjectAltName=URI: => URI
• subjectAltName=RID: => registered ID: OBJECT IDENTIFIER
• subjectAltName=dirName: => distinguished name
• subjectAltName=otherName: => local definitions

Example:

• In order to add an x500 directory name create a [ dir_sect ] section
  and modify the [ req ] section in the "/etc/ssl/openssl.cnf" file

• Create a Certificate Signing Request (CSR)
  "openssl req -newkey rsa:2048 -keyout server_key.pem -out server_req.pem"
  

• Review the CSR to verify the Subject Alternative Name has been added as expected
  "openssl req -text -in server_req.pem"
  

• Send the "server_req.pem" file to the rd Party Certificate Authority (CA).
  
• If we get the issued server certificate back from the CA and it stores the requested attributes we have to compile a PKCS#12 in order to import this as a Key Material Object (KMO) into eDirectory
  

Note:

• In any case it is up to Certificate Authority`s policy to accept the request for the Subject Alternative Name.
• For further details on OpenSSL visit http://www.openssl.org/docs/