Howto add a Subject Alternative Name extension into a Certificate Signing Request

  • 3522065
  • 07-Sep-2007
  • 26-Apr-2012

Environment

Novell Directory Services 8.8
Novell Certificate Server 3.2

Situation

The current released version of Novell Certificate Server does not allow to add an x509v3 "Alternative Name" into a Certificate Signing request (CSR) if you like to use a 3rd party Certificate Authority (CA)

Resolution

This issue has been addressed to engineering

As a current workaround you can use OpenSSL.

The following options can be defined as Subject Alternative Name using OpenSSL:
  • subjectAltName=mail: => Email Address
  • subjectAltName=DNS: => DNS name
  • subjectAltName=IP: => IP address
  • subjectAltName=URI: => URI
  • subjectAltName=RID: => registered ID: OBJECT IDENTIFIER
  • subjectAltName=dirName: => distinguished name
  • subjectAltName=otherName: => local definitions

Example:

  • In order to add an x500 directory name create a [ dir_sect ] section
    and modify the [ req ] section in the "/etc/ssl/openssl.cnf" file

Example:
....................
....................
[ v3_req]
# Extensions to add to a certificate request basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=dirName:dir_sect

[ dir_sect ]
C=DE
O=EMA
OU=Security
CN=ServerName
....................
....................

  • Create a Certificate Signing Request (CSR)
    "openssl req -newkey rsa:2048 -keyout server_key.pem -out server_req.pem"
  • Review the CSR to verify the Subject Alternative Name has been added as expected
    "openssl req -text -in server_req.pem"
The Alternative Subject name should for Example look like:
.................
.................
X509v3 Subject Alternative Name:
DirName:/C=DE/O=Novell/OU=Security/CN=DUS-LAB-NPS
............
............

  • Send the "server_req.pem" file to the rd Party Certificate Authority (CA).
  • If we get the issued server certificate back from the CA and it stores the requested attributes we have to compile a PKCS#12 in order to import this as a Key Material Object (KMO) into eDirectory
Example:
"openssl pkcs12 -export -inkey server_key.pem -in issued_cert.pem -out server_cert.pfx".
Note: You will be asked for a password in order to protect the PKCS#12 file

Status

Reported to Engineering

Additional Information

Note:
  • In any case it is up to Certificate Authority`s policy to accept the request for the Subject Alternative Name.
  • For further details on OpenSSL visit http://www.openssl.org/docs/

Feedback service temporarily unavailable. For content questions or problems, please contact Support.