VIP Authentication Hub Certificate DN issue
Article ID: 244704
Updated On: 04-07-2025
Products
Issue/Introduction
Problem importing certificates and defining certificate issuer when integrating with Siteminder
Siteminder automatically detects the certificate issuer where as AuthHub allows the user to enter it.
SiteMinder will read the raw certificate DN as is which can be different from the certificate details section seen on Windows platform.
Following is "smkeytool -listcerts" command from SiteMinder displaying one of the public CA certificate.
*****************************************************************************
Alias Name: verisignclass2g3ca
Type: CertificateAuthorityEntry
Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign\, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign\, Inc.",C=US
Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign\, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign\, Inc.",C=US
Serial Number: 6170CB498C5F984529E7B0A6D9505B7A
Valid from: Fri Oct 01 10:00:00 AEST 1999 until: Thu Jul 17 09:59:59 AEST 2036
*****************************************************************************
As can be witnessed above, there are double quotes and escape characters that are not seen when shown on Wndows platform.
And the actual value of certificate DN may be in reverse order compared to what is shown.
Please confirm if the issuer to be entered in AuthHub is the same as the one displayed in Siteminder after importing the certificate.
Steps to reproduce
1. Create certificate
Below are the commands you can use to create cert to investigate issuer issue.
openssl req -new -newkey rsa:2048 -nodes -keyout example.key.key -out example.csr -subj "/C=AU/ST=NSW/L=Sydney/O=Example/OU=Test/CN=examplesigning"
openssl x509 -req -days 1825 -in example.csr -signkey example.key -sha256 -out example.crt
D:\>smkeytool -listcerts -alias examplesigning
Alias Name: examplesigning
Type: CertificateEntry
Subject: CN=examplesigning,OU=Test,O=Example,L=Sydney,ST=NSW,C=AU
Issuer: CN=examplesigning,OU=Test,O=Example,L=Sydney,ST=NSW,C=AU
Serial Number: 00CAE0D725C1076777
Valid from: Tue Apr 08 10:02:03 AEST 2025 until: Sun Apr 07 10:02:03 AEST 2030
Revocation Status: Revocation is not configured.
*****************************************************************************
2. Load Certificate certificate into Siteminder
3. Load public cert into AuthHub
4 Sign ID Token Hint with private key
5. /authenticate with IDT Hint to have AuthHub check the JWT signature
Environment
Release : 12.8
Component : SITEMINDER -SDK
Resolution
Customer generated CN only certificate to remove any complexity.
openssl req -new -newkey rsa:2048 -nodes -keyout example1.key -out example1.csr -subj "/CN=examplesigning"
openssl x509 -req -days 1825 -in example1.csr -signkey example1.key -sha256 -out example1.crt
D:\>smkeytool -listcerts -alias examplesigning1
Alias Name: examplesigning1
Type: CertificateEntry
Subject: CN=examplesigning
Issuer: CN=examplesigning
Serial Number: 00E19036B4269C5AB1
Valid from: Tue Apr 08 10:14:50 AEST 2025 until: Sun Apr 07 10:14:50 AEST 2030
Revocation Status: Revocation is not configured.
*****************************************************************************
Then enter the Certificate DN in the VIP Authentication Hub as "CN=examplesigning"
Feedback
