Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Access Gateway
Situation
You want to generate an external certificate signing request (CSR) in the administration console and add Alternative Names, but the option is not available (this is due to an enhancement request to the product as stated in KB 7004246)
Resolution
As KB 7004246 states as a work around, you can use openssl on the Identity Server (IDP) to generate the CSR. This TID explains how to manually generate that CSR using openssl commands. (you can also use the LAG or any other SUSE Linux server to generate the request)
You need to modify the /etc/ssl/openssl.cnf file with what is in red in the different sections below:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
Next, you will add the following section after the [ v3_req] section:
[alt_names]
DNS.1 = $Desired Alternative Name 1$
DNS.2 = $Desired Alternative Name 2$
DNS.3 = $Desired Alternative Name 3$
(enter as many as needed, example: DNS.1 = test.novell.com, DNS.2 = lab.novell.com, etc)
Save the changes, then proceed with generating the CSR:
1. You will need to generate the private key and CSR. From the /etc/ssl directory run the following:
openssl req -new -nodes -keyout $Desired_Name$.key -out $Desired_Name$.csr -config openssl.cnf
The process will go through and ask you for information to build the CSR. Towards the end it will ask to include a passphrase. This is not necessary, but of course entirely up to you.
2. Verify the Alternative names were added to the CSR:
openssl req -text -noout -in $Desired_Name$.csr
You should see a line in the printed output that looks something similar to this:
x509v3 Subject Alternative Name: DNS:$Desired Alternative Name 1$, DNS:$Desired Alternative Name 2$, DNS:$Desired Alternative Name 3$, etc
3. If all looks correct, you can send the .csr to your external signing authority to get your certificates minted. Once you receive the certificate file (usually a .crt), you can use openssl to package the certificate and the private key into a PKCS12 package that can be imported into Access Manager.
Place the .crt file you received into the same directory as your .key file (/etc/ssl). You must verify that the entire certificate chain is included with the certificate from the vendor. It is critical that the entire certificate chain be in the .crt file, or the .p12/pfx file will not import successfully*.
Once you have the certificate with the chain in the /etc/ssl directory, run the following command:
openssl pkcs12 -export -in $Your New Certificate$.crt -inkey $Desired_Name$.key -out $Desired_Name$.pfx
This will ask you to enter in an Export Password. You must enter a password in order for Access Manager to import the certifiacte.
You can now take your .pfx and import it into the Administration Console
* A simple way to add the chain certs to a certificate supplied by a 3rd party vendor is to run through the process above to create a .pfx file, then import that .pfx into Internet Explorer (make sure to mark the private key as exportable). Then go to the Internet Explorer Certificate store (Internet Options > Content > Certificates, and should be under the personal section) select the imported certificate and choose export. When exporting, choose the option to export the private key as well as Include all certificates in the certification path, as well as all extended properties. This will create a new .pfx file that will include all certificates in the signing chain, thus making the .pfx valid and can be imported into the admin console.
You need to modify the /etc/ssl/openssl.cnf file with what is in red in the different sections below:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
Next, you will add the following section after the [ v3_req] section:
[alt_names]
DNS.1 = $Desired Alternative Name 1$
DNS.2 = $Desired Alternative Name 2$
DNS.3 = $Desired Alternative Name 3$
(enter as many as needed, example: DNS.1 = test.novell.com, DNS.2 = lab.novell.com, etc)
Save the changes, then proceed with generating the CSR:
1. You will need to generate the private key and CSR. From the /etc/ssl directory run the following:
openssl req -new -nodes -keyout $Desired_Name$.key -out $Desired_Name$.csr -config openssl.cnf
The process will go through and ask you for information to build the CSR. Towards the end it will ask to include a passphrase. This is not necessary, but of course entirely up to you.
2. Verify the Alternative names were added to the CSR:
openssl req -text -noout -in $Desired_Name$.csr
You should see a line in the printed output that looks something similar to this:
x509v3 Subject Alternative Name: DNS:$Desired Alternative Name 1$, DNS:$Desired Alternative Name 2$, DNS:$Desired Alternative Name 3$, etc
3. If all looks correct, you can send the .csr to your external signing authority to get your certificates minted. Once you receive the certificate file (usually a .crt), you can use openssl to package the certificate and the private key into a PKCS12 package that can be imported into Access Manager.
Place the .crt file you received into the same directory as your .key file (/etc/ssl). You must verify that the entire certificate chain is included with the certificate from the vendor. It is critical that the entire certificate chain be in the .crt file, or the .p12/pfx file will not import successfully*.
Once you have the certificate with the chain in the /etc/ssl directory, run the following command:
openssl pkcs12 -export -in $Your New Certificate$.crt -inkey $Desired_Name$.key -out $Desired_Name$.pfx
This will ask you to enter in an Export Password. You must enter a password in order for Access Manager to import the certifiacte.
You can now take your .pfx and import it into the Administration Console
* A simple way to add the chain certs to a certificate supplied by a 3rd party vendor is to run through the process above to create a .pfx file, then import that .pfx into Internet Explorer (make sure to mark the private key as exportable). Then go to the Internet Explorer Certificate store (Internet Options > Content > Certificates, and should be under the personal section) select the imported certificate and choose export. When exporting, choose the option to export the private key as well as Include all certificates in the certification path, as well as all extended properties. This will create a new .pfx file that will include all certificates in the signing chain, thus making the .pfx valid and can be imported into the admin console.