Security

Reply

Certifcate Request with 'Subject Alternate Name'

IPatel
Techie
Posts: 1
414     0

I have recently deployed an Infoblox appliance with a self signed certificate. I'd like to create a company signed certificate with multiple urls / names (e.g. https://servername/, https://servername.internal.com/, http://infoblox-live/, https://infoblox-live.internal.com/).

 

I can create a Certificate Request with one name only. To add more names I need to add a 'Subject Alternate Name' field with the extra names listed. This is a standard certificate field.

 

Does anyone know how to create a Certificate Request with the 'Subject Alternate Name'? Can this be done via Infoblox or do I need to use a 3rd party tool to hack the Certificate Request?

 

Thanks in advance.

BUMP - Having the same issue - CSR with subject alternative name

FGonzalez
Techie
Posts: 1
414     0

Is there a way to create the CSR with "subject alternative names' in the GUI or through the CLI?

I have created a certificate that includes all the necessary components manually via the Certificate Authority. But when i attempt to import the HTTPS certificate i receive the following error:

Could not find a CSR with a matching public key

So it seems that the complete CSR (including SAN's) would need to be created within IBOS in order for the import to be succesful.

Is there anyone that can help?

 

Using SANs with certificates for Infoblox DDI appliances

Adviser
Posts: 127
414     0

I suspect that the error "Could not find a CSR with a matching public key" is not related to SANs, but may rather be caused by something else. My best guess is either 1) a new CSR was created after the previous CSR had been submitted to the CA, and it has a new public key associated with it, or 2) you accidentally generated and submitted a CSR for a different grid member than the one you're trying to install the certificate on.

In any case,  I have successfully installed a CA-issued certificate with SANs on my own lab appliance. I did not have to specify the SAN when I generated the CSR. In fact, many CAs will ignore everything in the CSR except for the Common Name (CN) and the public key. The SAN values are added when the certificate is issued, and can based on input supplied by the user separate from the CSR. (At least that's how it worked with the CA that I used.)

The main point is that the CN in the CSR should be the FQDN of whatever member you're generating the CSR for (normally the grid master, but it doesn't have to be), and the list of SANs should include that same FQDN along with whatever other SAN values you want the certificate to include. So if the grid member FQDN is ns1.example.com and you want infoblox.example.com as an alternative name, then the CSR should have CN=ns1.example.com and the CA should be told to include ns1.example.com and infoblox.example.com as the SAN values. You should be able to load the resulting certificate into the grid member ns1.example.com without error.

Hope this helps.

Frank

 

 

 

Re: Using SANs with certificates for Infoblox DDI appliances

smacdona
Techie
Posts: 1
414     0

How were you able to do this? I need a certificate with one or more SANs included for Infoblox. I have a Server 2012 CA and can create a self signed certificate but I don't know how to include a SAN with it. I have tried several ways to do this but when I try to up load the cert to the Infoblox host I get "Invalid Certificate" error.

 

Thanks

smacdo

Re: Certifcate Request with 'Subject Alternate Name'

Authority
Posts: 38
414     0

Hi,

 

The use of SAN certificates is currently not supported in NIOS. The use of CSRs generated outside of Infoblox (third party tools) is also not supported in NIOS.

I believe it would be best to contact support and have this raised as an RFE.


Regards,

Sandeep

Highlighted

Re: Using SANs with certificates for Infoblox DDI appliances

rmbolger
Techie
Posts: 11
414     0

smacdona wrote:

How were you able to do this? I need a certificate with one or more SANs included for Infoblox. I have a Server 2012 CA and can create a self signed certificate but I don't know how to include a SAN with it. I have tried several ways to do this but when I try to up load the cert to the Infoblox host I get "Invalid Certificate" error.

 Here's a blog post describing the correct way to re-sign a cert request in order to add SAN fields using a Microsoft CA.

https://blog.css-security.com/blog/using-an-ea-certificate-to-re-sign-csrs-to-add-correct-san-inform...

 

It's a bit cumbersome, but it works. I'm not sure what SRenjith meant by saying it's not supported though. Maybe he just meant the GUI doesn't support generating CSRs with SAN fields.  In any case, a signed cert with SAN fields works just fine in every NIOS version I've used to date.

Showing results for 
Search instead for 
Do you mean 

Recommended for You