EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to request a certificate with SubjectAltname extended properties ?

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#14929
Posted: 11/03/2010 09:14:57
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I'm not even sure I'm approaching this right so, please, don't hesitate to let me know if I'm completely wrong.

I'm trying to create a certificate request for a web server that will contain some SubjectAltname extensions (so that I can access the server by any of its names).

I've modified the certificate request sample to include the following code:

Code
      if cbSubjectAltNamesEnabled.checked then
      begin
        for I := 0 to memoSubjectAltName.lines.Count - 1 do    // Iterate
        begin
          if length(trim(memoSubjectAltName.lines[i])) > 0 then
          begin
            NameIndex := ACertificateRequest.Extensions.SubjectAlternativeName.Content.Add();
            ACertificateRequest.Extensions.SubjectAlternativeName.Content.Names[NameIndex].DNSName := trim(memoSubjectAltName.lines[i]);
          end;    // with
        end;    // for
      end;


Unfortunately, it doesn't seem to be doing anything: I get my request but the issued certificate contains no SubjectAltName property and the signed certificate doesn't either.

Am I approaching that wrong ? Is there something obvious that eludes me ?

Thanks
#14930
Posted: 11/03/2010 09:23:22
by Eugene Mayevski (EldoS Corp.)

1) from the how-to: "If you need to set one of predefined extensions, you need to use one of the numerous properties of ElCertificateExtensions class. Also, you must include the corresponding flag in Included property of ElCertificateExtensions class, to signal that the extension is set and must be included into the certificate or certificate request."
You don't set Included.

2) Is it your code or some third-party server that processes the request? As far as I know the extensions should not necessarily be copied from the request to the certificate. I.e. some CA authorities can ignore some extensions.


Sincerely yours
Eugene Mayevski
#14934
Posted: 11/03/2010 09:59:47
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thanks a lot for the quick answer.

Quote
You don't set Included.


Right. I didn't notice that particular requirement, thanks a lot.

Quote
Is it your code or some third-party server that processes the request?


It's Windows 2008 Certificate Services (Enterprise). I've already enabled SubjectAltName and SubjectAltName2 and restarted the service. Not sure if that will be enough.

It seems to be working although I also had to specify the nameType of each name i was adding (in my case, DNSName) or it woudl default to RFC822name.

Thanks again,
Stephane
#14936
Posted: 11/03/2010 11:29:59
by Eugene Mayevski (EldoS Corp.)

Right, I didn't mention it (overlooked) that name type must be set as well.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 904 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!