IBM Security Verify

 View Only
  • 1.  Certificate request with SAN attribute - VA 10.0.0x

    InnerCircle
    Posted Tue November 29, 2022 06:14 PM

    Hello, 

    I need to create certificate request with Subject Alternative Name (SAN) attribute.
    For example, IBM Global Security Kit supports this option: -san_dns-name <name> The SAN DNS name(s) for the entry being created.

    Is there any way to do this in Verify Access 10.0.x  via LMI or CLI?

    Thank you.



    ------------------------------
    Petr Němec
    ------------------------------


  • 2.  RE: Certificate request with SAN attribute - VA 10.0.0x

    Posted Tue November 29, 2022 06:21 PM
    It's not recommended to use the Appliance for certificate management.

    The recommended approach at this point in time is to use OpenSSL on a separate system as that gives a more robust way to perform certificate management.

    Here are the OpenSSL commands to request a certificate:
    openssl req -new -newkey rsa:2048 -keyout ./private/sha256withrsa-star-key.pem -subj "/C=US/ST=Texas/L=Austin/O=Org/OU=Unit/CN=hostname.domain.lab" -out sha256withrsa-star-req.pem -config openssl-config-file.cnf

    The 'openssl-config-file.cnf' would be an OpenSSL configuration file that specifies how to create the certificate request. It's possible to pass in the SAN using a command line argument and there's a lot of material online to help with that task.


    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: Certificate request with SAN attribute - VA 10.0.0x

    InnerCircle
    Posted Thu December 08, 2022 06:09 PM
    Hi Jack,

    thank you for answer. Am I understanding correctly that I can generate the certificate request with the private key on another system e.g OpenSSL?
    Then, after issuin to the appropriate CA, I can import that certificate into the VA keystore. ( PDSRV - This file contains the default SSL certificates that Web Reverse Proxy instances use when communicating with clients and associated web servers)?

    Best regards,
    Petr


    ------------------------------
    Petr Němec
    ------------------------------