Novell Home

Adding Alternative Names with Certificate Signing Requests

Novell Cool Solutions: Tip
By Klaus Gast

Digg This - Slashdot This

Posted: 3 Oct 2007
 

Problem

A Forum reader recently asked:

"If I create a certificate (PKI-Object TLS/SSL) for Apache on a NetWare server I'm able to add additional names as long as I use the internal CA. If I want to create a signing request CSR, I miss the button "add names" to do so.

Is there any way to create a CSR including all names that need to be signed by an external CA?

I know that Digicert describes a common name like www.domain.tld or *.domain.tld for WildCard Certificate. Think this doesn't work with the multi-domain certs I want to go for, because in this case my common name must be *.*.* or at least *.domain.*"

And here's the response from Klaus Gast ...

Solution

So far, Novell Certificate Server does not allow to add an x509v3 "Alternative Name" (might be an e-mail address, DNS name, IP address, or DirectoryName) into a Certificate Signing request (CSR). This issue has been addressed and accepted by engineering as enhancement request.

As a current workaround you can use OpenSSL in order to create such a signing request. In any case, it is up to Certificate Authority's policy to accept the request for the alternate subject name.

Here is an example of an openssl.conf file that allows you to add a Directory name as "Alternative Object Name".

[ v3_req ]
# Extensions to add to a certificate request basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=dirName:dir_sect
[ dir_sect ]
C=DE
O=EMA
OU=Security
CN=ServerName

In many cases, even though the CSR has been created including an alternative subject name, it might not get accepted at the CA - there it will just be removed.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell