Symantec Directory: can we modify DSA personality certificate subject ?
search cancel

Symantec Directory: can we modify DSA personality certificate subject ?


Article ID: 277311


Updated On:


CA Directory


Our organization has a requirement that all SSL certificates should have email address in the subject.

We use our own CA-signed personality certificates with Symantec/CA Directory DSAs.

Can we include email address in the DSA personality certificate subject ?


Symantec Directory 12.x, 14.x


DSA personality certificate must have DSA name as a subject.
That is
in the certificate's subject field exactly the same DN (just in a different form) as in "dsa-name" parameter of "set dsa" command in DSA configuration must be provided.

For example if "set dsa" command has the following parameters:

set dsa "dsa06" =
    prefix        = <c au>
    dsa-name      = <c au><cn "dsa06">
  dsa-password  = "xxxxxx"
    address       = tcp "" port 1389
    disp-psap     = DISP
    snmp-port     = 1389
    console-port  = 1390
    auth-levels   = anonymous, clear-password,ssl-auth
    dsa-flags     = multi-write, no-service-while-recovering
    link-flags    = ssl-encryption-remote

then certificate subject must be /C=AU/CN=dsa06

You cannot add anything to a DSA subject, otherwise multi-write replication will fail.

However, it is possible to include email address in SAN (Subject Alternative Name) field.

If we use dxcertgen utility to generate certificate signing request (CSR) we can only include DNS and IP fields:

dxcertgen -e "SAN=IP:," -D dsa06 certreq

However, if we use openssl tool for the same purpose, we can include email address in SAN:

openssl req -new -newkey rsa:4096 -nodes -keyout dsa06.key -out dsa06.csr -subj "/C=AU/CN=dsa06" -addext ",IP:,email:[email protected]"

While email address is not in the subject, it's still present in the certificate and can be checked using different tools like openssl.