I have installed DogTag 1.3 Certificate Server (CA and RA) components
on Fedora Core 11.
I want to configure a server certificate with a Subject Alternate
Name.
I used openssl to create a private key and a certificate signing
request on the server in question.
openssl
genrsa -out server1.key -des3 1024
openssl req -new -key server1.key -out server.csr
I am prompted along the way to include an e-mail address and subject
alternate name. Both are permitted but optional in my openssl.cnf file.
I can look at the csr with
openssl req -in server.csr -text
By default, openssl by default recreates a req with the following line
Subject:
C=US, ST=California, L=MyCity, O=MyCompany,
OU=IT,
CN=server.company.com/subjectAltName=www.company.com/emailAddress=mymail@company.com
You can see that e-mail and SAN are part of the CN attribute.
I went to the "Certificate System RA Services Page"
(https://myserver:12890) - > SSL End Users Services -> Server
Enrollment -> Request Submission. I pasted the contents of the csr
file into the web page. The administrator (i.e. me) gets e-mail
notification of a certificate request, and follows the link to approve
it. However if I have included either e-mail or SAN the request will
fail because the subject name doesn't match.
CA: Request
Rejected - Subject Name Not Matched
E=mymail@company.com,CN=server.company.com,OU=IT,O=My
Company,L=MyCity,ST=California,C=US
If I compare the dogtag error message to the original csr file I can
see that dogtag expects a different syntax for e-mail. Dogtag
expects it as a separate "E" attribute (It still seems to have
translated the attributes appropriately but then complains the subject
doesn't match.) I can work around this by either omitting e-mail in
the csr altogether or explicitly setting the subject attribute with the
"openssl req -subj"
-> openssl req -new -key server.key -out server.csr -subj
"/E=mymail@company.com,CN=server.company.com,OU=IT,O=My Company
Name,L=MyCity,ST=California,C=US"
Enter pass phrase for server.key:
Subject Attribute E has no known NID, skipped
->
However, I can't figure out how to make this work for the Subject
Alternate Name.
DogTag rejects the certificate with
CA: Request Rejected - Subject Name Not Matched E=mymail@company.com
,2.5.29.17=www.company.com,CN=server....
Is there a "NID" parameter than dogtag expects for SAN?