Our organization has a requirement that all SSL certificates should have email address in the subject.
We use our own CA-signed personality certificates with Symantec/CA Directory DSAs.
Can we include email address in the DSA personality certificate subject ?
Symantec Directory 12.x, 14.x
DSA personality certificate must have DSA name as a subject.
That is in the certificate's subject field exactly the same DN (just in a different form) as in "dsa-name" parameter of "set dsa" command in DSA configuration must be provided.
For example if "set dsa" command has the following parameters:
set dsa "dsa06" =
{
prefix = <c au>
dsa-name = <c au><cn "dsa06">
dsa-password = "xxxxxx"
address = tcp "cadir.example.com" port 1389
disp-psap = DISP
snmp-port = 1389
console-port = 1390
auth-levels = anonymous, clear-password,ssl-auth
dsa-flags = multi-write, no-service-while-recovering
link-flags = ssl-encryption-remote
};
then certificate subject must be /C=AU/CN=dsa06
You cannot add anything to a DSA subject, otherwise multi-write replication will fail.
However, it is possible to include email address in SAN (Subject Alternative Name) field.
If we use dxcertgen utility to generate certificate signing request (CSR) we can only include DNS and IP fields:
dxcertgen -e "SAN=IP:192.168.0.26,DNS:cadir.example.com" -D dsa06 certreq
However, if we use openssl tool for the same purpose, we can include email address in SAN:
openssl req -new -newkey rsa:4096 -nodes -keyout dsa06.key -out dsa06.csr -subj "/C=AU/CN=dsa06" -addext "subjectAltName=DNS:cadir.example.com,IP:192.168.0.26,email:[email protected]"
While email address is not in the subject, it's still present in the certificate and can be checked using different tools like openssl.