How to create Subject Alternative Name (SAN) certificate extensions in a Certificate Signing Request (CSR) generated by PAM

  • 7023977
  • 27-Jun-2019
  • 27-Jun-2019

Environment

Privileged Account Manager 3.6
Privileged Account Manager 3.5
Privileged Account Manager 3.2

Situation

How to create Subject Alternative Name (SAN) certificate extensions in a Certificate Signing Request (CSR) generated by PAM.
Certificate with just Common Name is not accepted by Google Chrome: NET::ERR_CERT_COMMON_NAME_INVALID.
Certificate is missing or doesn't have the correct subjectAlternativeName extension.

Resolution

When Requesting a Certificate in Privileged Account Manager (PAM), please use the Alternative Names field with options defined in RFC 5280. This is the subjectAltName extension of the certificate (x509v3 Subject Alternative Name).

The following are a couple examples of the proper syntax for this Alternative Names field:
DNS:example.com, DNS:www.example.com
DNS:example.com, DNS:www.example.com, IP:127.0.0.1

Cause

Common Name has been officially deprecated and "Certification Authorities are encouraged to use the dNSName" (RFC 2818). While often used as the fallback in the absence of the subjectAlternativeName extension, support for it has been dropped by popular browsers (Google, Firefox, etc.). Therefore it is recommended to use this preferred extension.

Additional Information

Please refer to RFC 5280 for any other Certificate Extensions that are supported.

How to verify the requested Certificate Signing Request (CSR):
  1. Copy the contents of the certificate into a new file on the server.
  2. Verify the openssl text output of the CSR:
    openssl req -in <csr> -text -noout
    ...
    Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    DNS:example.com, DNS:www.example.com, IP Address:127.0.0.1
    ...


Feedback service temporarily unavailable. For content questions or problems, please contact Support.