|
|
Post by Ingo van Lil on Jan 3, 2023 13:12:54 GMT
Hi Gurus, I've been doing some work on implementing certificate management through the Redfish API, but I'm a bit unclear about how to deal with subject alternative names: 1. Certificate v1.6.0 contains an "AdditionalCommonNames" property. Does that somehow relate to the subjectAltName extension in X.509 certificates, or is it in case a certificate contains multiple CN fields in the subject (which is allowed but discouraged)? 2. The example request for the CertificateService.GenerateCSR action in the Schema Guide (section 6.18.4.1) specifies the following parameters: - CommonName: manager.contoso.org - AlternativeNames: manager.contoso.com, manager.contoso.us A certificate created that way would not be valid for the .org domain because the subjectAltName overrides the subject name. Is that intentional? Or are implementations expected to include the CN in an subjectAltName extension, if present?
Thanks in advance for your answers!
Regards,
Ingo
|
|
|
|
Post by mraineri on Jan 3, 2023 14:29:48 GMT
For your first question, no, it's not related to "subjectAltNames". There are some use cases where the commonName attribute in an X.509 certificate has multiple entries. You're correct in that it's discouraged, but there are some common LDAP use cases that make use of this discouraged behavior.
For your second question, I don't think we thought too hard with the example, but we can certainly update it to make it more realistic and valid. We'll have to take a look at some of these rules. Is there an issue with having CommonName present at all? From some openssl examples I see, it's making use of both "CN" and "subjectAltName" in the request config file.
|
|
|
|
Post by Ingo van Lil on Jan 3, 2023 16:00:37 GMT
Got it, I'll fix up my implementation then. Will there be a property to reflect the subjectAltName?
Setting both the subject CN and the subjectAltName is perfectly fine and seems to be common practice, judging from a number of websites I checked. The CN won't be interpreted as a DNS name in that case, but most certificates just seem to use repeat one of the DNS names anyway.
|
|
|
|
Post by mraineri on Jan 3, 2023 16:06:36 GMT
I thought there was a property for subject alternative names, but I don't see one. This looks like something we should add to the schema.
Thanks for confirming having both is a common practice.
|
|
