Server Management - Remote Server Management
1748137 Members
3525 Online
108758 Solutions
New Discussion

Re: ILO2 refuse to import somes X509 certificates

 
Erwan_M
Occasional Contributor

ILO2 refuse to import somes X509 certificates

Hello ,

 

I generate a csr for my server . I generate 2 certficate form the same csr via 2 CA .

 

When i use a instantssl.com pki i can import the certficate

When i use startssl.com pki , i can not import the certificate .

 

When i extract with openssl information from certificates i have :

 

from startssl.com

Subject: description=kk5U45Jfhfy8CV4S, C=FR, CN=srv435.mngt.mydom.fr/emailAddress=tech@mydom.fr

from instantssl.com

Subject: OU=Domain Control Validated, OU=Free SSL, CN=srv435.mngt.mydom.fr

 

has someone a workaround for using startssl.com pki ?

 

 


the error i have from the web interface

 

The Certificate could not be imported from the supplied X.509 Certificate data.

The Common name on the certificate does not match the DNS name of Integrated Lights-Out. Make sure that the X.509 Certificate data was intended for this Integrated Lights-Out.

 

 

 

 

 

 

4 REPLIES 4
Oscar A. Perez
Honored Contributor

Re: ILO2 refuse to import somes X509 certificates

Apparently, iLO doesn't like the CN from startssl.com.

I bet that if the "/emailAddress=tech@mydom.fr" portion is removed from the CN, it will work.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Erwan_M
Occasional Contributor

Re: ILO2 refuse to import somes X509 certificates

from: http://stackoverflow.com/questions/6464129/certificate-subject-x-509

 

emailAddress can be in the subject field of x509 certificate .

 

It's a bug in ilo implementation :(

 

 

 

 

 

Oscar A. Perez
Honored Contributor

Re: ILO2 refuse to import somes X509 certificates

It says the emailAddress attribute is deprecated. Use altName extension instead.

 

http://www.oid-info.com/get/1.2.840.113549.1.9.1

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Erwan_M
Occasional Contributor

Re: ILO2 refuse to import somes X509 certificates

From RFC the usage of field is deprecated but permitted .

 

See end of chapter 4.1.2.6 Subject from ( http://www.ietf.org/rfc/rfc5280.txt )

 

 

Conforming implementations generating new certificates with
   electronic mail addresses MUST use the rfc822Name in the subject
   alternative name extension (Section 4.2.1.6) to describe such
   identities.  Simultaneous inclusion of the emailAddress attribute in
   the subject distinguished name to support legacy implementations is
   deprecated but permitted.