IBM Security Verify

Dear All,

We would have a question about new certificate request process.

Basic certificate request can be created in ISAM System - Secure Settings - SSL certificates - Cert DB name - Edit SSL DB - Certificate Request - New (here are options "Certificate Request Label",  "Certificate Request Distinguished Name", "Signature Algorithm", "Key Size").

We do not see any SAN setting here, where we could define the SAN entries of new certificates. We also did not find any possibilities in REST API to use.

Our goal would be to create a new certificate request with the same certificate label with SAN entries.

Example:
label:
  test.cert.de

Subject (DN):
   CN= test.cert.de, OU=123...

SAN:
   test.cert.de
   test.cert2.de
   test.cert3.de

We tried it with using OpenSSL, where we could add SAN entries but we had issue with certificate label after importing the new certificate.

Since there was not valid request in ISAM, during the import ISAM set automatic label.

How it is possible to solve this?
What is your process to create a new certificate request?

Thank you in advance!

Regards,
Sándor

------------------------------
Sándor Lakner
------------------------------

Hi Sándor,

With openssl you also can set a label when creating the p12 file. In this case ISAM chooses this label when importing the file. We also had issues with the automatic label created ass we have special characters in our DN and these are escaped in the label. But in the WebSEAL config file this escaped label is not accepted.

I think the option should be this:

-name friendlyname

This specifies the "friendly name" for the certificate and private key. This name is typically displayed in list boxes by software importing the file.

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Mon September 14, 2020 04:54 AM
From: Sándor Lakner
Subject: New certificate request fulfillments

Dear All,

We would have a question about new certificate request process.

Basic certificate request can be created in ISAM System - Secure Settings - SSL certificates - Cert DB name - Edit SSL DB - Certificate Request - New (here are options "Certificate Request Label",  "Certificate Request Distinguished Name", "Signature Algorithm", "Key Size").

We do not see any SAN setting here, where we could define the SAN entries of new certificates. We also did not find any possibilities in REST API to use.

Our goal would be to create a new certificate request with the same certificate label with SAN entries.

Example:
label:
  test.cert.de

Subject (DN):
   CN= test.cert.de, OU=123...

SAN:
   test.cert.de
   test.cert2.de
   test.cert3.de

We tried it with using OpenSSL, where we could add SAN entries but we had issue with certificate label after importing the new certificate.

Since there was not valid request in ISAM, during the import ISAM set automatic label.

How it is possible to solve this?
What is your process to create a new certificate request?

Thank you in advance!

Regards,
Sándor

------------------------------
Sándor Lakner
------------------------------

Hi Laurent,

Thanks a lot. I could test it and works fine.

Best regards,
Sándor

​

------------------------------
Sándor Lakner
------------------------------

Original Message:
Sent: Tue September 15, 2020 02:33 AM
From: Laurent LA Asselborn
Subject: New certificate request fulfillments

Hi Sándor,

With openssl you also can set a label when creating the p12 file. In this case ISAM chooses this label when importing the file. We also had issues with the automatic label created ass we have special characters in our DN and these are escaped in the label. But in the WebSEAL config file this escaped label is not accepted.

I think the option should be this:

-name friendlyname

This specifies the "friendly name" for the certificate and private key. This name is typically displayed in list boxes by software importing the file.

------------------------------
Laurent LA Asselborn

Original Message:
Sent: Mon September 14, 2020 04:54 AM
From: Sándor Lakner
Subject: New certificate request fulfillments

Dear All,

We would have a question about new certificate request process.

Basic certificate request can be created in ISAM System - Secure Settings - SSL certificates - Cert DB name - Edit SSL DB - Certificate Request - New (here are options "Certificate Request Label",  "Certificate Request Distinguished Name", "Signature Algorithm", "Key Size").

We do not see any SAN setting here, where we could define the SAN entries of new certificates. We also did not find any possibilities in REST API to use.

Our goal would be to create a new certificate request with the same certificate label with SAN entries.

Example:
label:
  test.cert.de

Subject (DN):
   CN= test.cert.de, OU=123...

SAN:
   test.cert.de
   test.cert2.de
   test.cert3.de

We tried it with using OpenSSL, where we could add SAN entries but we had issue with certificate label after importing the new certificate.

Since there was not valid request in ISAM, during the import ISAM set automatic label.

How it is possible to solve this?
What is your process to create a new certificate request?

Thank you in advance!

Regards,
Sándor

------------------------------
Sándor Lakner
------------------------------

Hello Sándor,

I have the same problem. I need to add a SAN to the request.
Have you been successful with OpenSSL?

Thank you.
Peter


------------------------------
Petr Němec
------------------------------

Original Message:
Sent: Mon September 21, 2020 04:45 AM
From: Sándor Lakner
Subject: New certificate request fulfillments

Hi Laurent,

Thanks a lot. I could test it and works fine.

Best regards,
Sándor

​

------------------------------
Sándor Lakner

Original Message:
Sent: Tue September 15, 2020 02:33 AM
From: Laurent LA Asselborn
Subject: New certificate request fulfillments

Hi Sándor,

With openssl you also can set a label when creating the p12 file. In this case ISAM chooses this label when importing the file. We also had issues with the automatic label created ass we have special characters in our DN and these are escaped in the label. But in the WebSEAL config file this escaped label is not accepted.

I think the option should be this:

-name friendlyname

This specifies the "friendly name" for the certificate and private key. This name is typically displayed in list boxes by software importing the file.

------------------------------
Laurent LA Asselborn

Original Message:
Sent: Mon September 14, 2020 04:54 AM
From: Sándor Lakner
Subject: New certificate request fulfillments

Dear All,

We would have a question about new certificate request process.

Basic certificate request can be created in ISAM System - Secure Settings - SSL certificates - Cert DB name - Edit SSL DB - Certificate Request - New (here are options "Certificate Request Label",  "Certificate Request Distinguished Name", "Signature Algorithm", "Key Size").

We do not see any SAN setting here, where we could define the SAN entries of new certificates. We also did not find any possibilities in REST API to use.

Our goal would be to create a new certificate request with the same certificate label with SAN entries.

Example:
label:
  test.cert.de

Subject (DN):
   CN= test.cert.de, OU=123...

SAN:
   test.cert.de
   test.cert2.de
   test.cert3.de

We tried it with using OpenSSL, where we could add SAN entries but we had issue with certificate label after importing the new certificate.

Since there was not valid request in ISAM, during the import ISAM set automatic label.

How it is possible to solve this?
What is your process to create a new certificate request?

Thank you in advance!

Regards,
Sándor

------------------------------
Sándor Lakner
------------------------------