I have installed DogTag 1.3 Certificate Server (CA and RA) components on
Fedora Core 11.
I want to configure a server certificate with a Subject Alternate Name.
I used openssl to create a private key and a certificate signing request
on the server in question.
openssl genrsa -out server1.key -des3 1024
openssl req -new -key server1.key -out server.csr
I am prompted along the way to include an e-mail address and subject
alternate name. Both are permitted but optional in my openssl.cnf file.
I can look at the csr with
openssl req -in server.csr -text
By default, openssl by default recreates a req with the following line
Subject: C=US, ST=California, L=MyCity, O=MyCompany, OU=IT,
You can see that e-mail and SAN are part of the CN attribute.
I went to the "Certificate System RA Services Page"
(https://myserver:12890) - > SSL End Users Services -> Server Enrollment
-> Request Submission. I pasted the contents of the csr file into the
web page. The administrator (i.e. me) gets e-mail notification of a
certificate request, and follows the link to approve it. However if I
have included either e-mail or SAN the request will fail because the
subject name doesn't match.
CA: Request Rejected - Subject Name Not Matched
If I compare the dogtag error message to the original csr file I can see
that dogtag expects a different syntax for e-mail. Dogtag expects it
as a separate "E" attribute (It still seems to have translated the
attributes appropriately but then complains the subject doesn't
match.) I can work around this by either omitting e-mail in the csr
altogether or explicitly setting the subject attribute with the "openssl
-> openssl req -new -key server.key -out server.csr -subj
Enter pass phrase for server.key:
Subject Attribute E has no known NID, skipped
However, I can't figure out how to make this work for the Subject
DogTag rejects the certificate with
CA: Request Rejected - Subject Name Not Matched E=mymail(a)company.com
Is there a "NID" parameter than dogtag expects for SAN?
Thanks for the Dogtag project. I have been able to install 389-ds and
dogtag-pki-ca on Fedora 13.
I am able to view the services through the browser. I would like to
know if there are any web service APIs or tutorials or documents that
are available to gives pointers on how to communicate with these
server subsystems via other servers or programs?
Appreciate any inputs in this regard,