Environment
Novell Directory Services 8.8
Novell Certificate Server 3.2
Novell Certificate Server 3.2
Situation
The current released version of Novell Certificate Server does not
allow to add an x509v3 "Alternative Name" into a Certificate
Signing request (CSR) if you like to use a 3rd party Certificate
Authority (CA)
Resolution
This issue has been addressed to engineering
As a current workaround you can use OpenSSL.
The following options can be defined as Subject Alternative Name using OpenSSL:
Example:
As a current workaround you can use OpenSSL.
The following options can be defined as Subject Alternative Name using OpenSSL:
- subjectAltName=mail: => Email Address
- subjectAltName=DNS: => DNS name
- subjectAltName=IP: => IP address
- subjectAltName=URI: => URI
- subjectAltName=RID: => registered ID: OBJECT IDENTIFIER
- subjectAltName=dirName: => distinguished name
- subjectAltName=otherName: => local definitions
Example:
- In order to add an x500 directory name create a [ dir_sect ]
section
and modify the [ req ] section in the "/etc/ssl/openssl.cnf" file
Example:
....................
....................
....................
[ v3_req]
# Extensions to add to a certificate request basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=dirName:dir_sect
[ dir_sect ]
C=DE
O=EMA
OU=Security
CN=ServerName
....................
....................
# Extensions to add to a certificate request basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=dirName:dir_sect
[ dir_sect ]
C=DE
O=EMA
OU=Security
CN=ServerName
....................
....................
- Create a Certificate Signing Request (CSR)
"openssl req -newkey rsa:2048 -keyout server_key.pem -out server_req.pem"
- Review the CSR to verify the Subject Alternative Name has been
added as expected
"openssl req -text -in server_req.pem"
The Alternative Subject name should
for Example look like:
.................
.................
X509v3 Subject Alternative Name:
DirName:/C=DE/O=Novell/OU=Security/CN=DUS-LAB-NPS
............
............
.................
X509v3 Subject Alternative Name:
DirName:/C=DE/O=Novell/OU=Security/CN=DUS-LAB-NPS
............
............
- Send the "server_req.pem" file to the rd Party Certificate
Authority (CA).
- If we get the issued server certificate back from the CA and it
stores the requested attributes we have to compile a PKCS#12 in
order to import this as a Key Material Object (KMO) into
eDirectory
Example:
"openssl pkcs12 -export
-inkey server_key.pem -in issued_cert.pem -out
server_cert.pfx".
Note: You will be asked for a password in order to protect the PKCS#12 file
Note: You will be asked for a password in order to protect the PKCS#12 file
Status
Reported to EngineeringAdditional Information
Note:
- In any case it is up to Certificate Authority`s policy to accept the request for the Subject Alternative Name.
- For further details on OpenSSL visit http://www.openssl.org/docs/