Adding Alternative Names with Certificate Signing Requests
Novell Cool Solutions: Tip
By Klaus Gast
Digg This -
Posted: 3 Oct 2007
A Forum reader recently asked:
"If I create a certificate (PKI-Object TLS/SSL) for Apache on a NetWare server I'm able to add additional names as long as I use the internal CA. If I want to create a signing request CSR, I miss the button "add names" to do so.
Is there any way to create a CSR including all names that need to be signed by an external CA?
I know that Digicert describes a common name like www.domain.tld or *.domain.tld for WildCard Certificate. Think this doesn't work with the multi-domain certs I want to go for, because in this case my common name must be *.*.* or at least *.domain.*"
And here's the response from Klaus Gast ...
So far, Novell Certificate Server does not allow to add an x509v3 "Alternative Name" (might be an e-mail address, DNS name, IP address, or DirectoryName) into a Certificate Signing request (CSR). This issue has been addressed and accepted by engineering as enhancement request.
As a current workaround you can use OpenSSL in order to create such a signing request. In any case, it is up to Certificate Authority's policy to accept the request for the alternate subject name.
Here is an example of an openssl.conf file that allows you to add a Directory name as "Alternative Object Name".
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=dirName:dir_sect [ dir_sect ] C=DE O=EMA OU=Security CN=ServerName
In many cases, even though the CSR has been created including an alternative subject name, it might not get accepted at the CA - there it will just be removed.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com