vCenter CSR creation adding email to the Subject Alternate Name causing the certificate generation from an external CA to fail.
search cancel

vCenter CSR creation adding email to the Subject Alternate Name causing the certificate generation from an external CA to fail.

book

Article ID: 407297

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

When generating a vCenter CSR, if an email address is added to the input parameters, the backend includes the email address only in the Subject Alternative Name (SAN)

Environment

VCF

Cause

1. Subject field (legacy / deprecated)

    Historically, email addresses were placed in the Subject using the emailAddress attribute (OID: 1.2.840.113549.1.9.1). This practice is now discouraged by the CA/Browser Forum baseline requirements and is mainly seen in older S/MIME or internal PKI certificates.

2. Subject Alternative Name (SAN) extension (modern / recommended)

    The current standard is to include the email address in the Subject Alternative Name extension as an rfc822Name, especially for S/MIME certificates.

Resolution

  The current standard is to include the email address in the Subject Alternative Name extension as an rfc822Name, especially for S/MIME certificates.

vCenter supports only the modern approach. 

Workaround: 

  1. - Generate a CSR without an email address for the external CA to sign, 
  2. - Request that the external CA allow the email address in the SAN field.
Powered by Wolken Software