Technical Articles
Creating a Key Pair and Public-Key Certificate with Subject Alternative Name (SAN)
Procedure
- Open the Key Storage Content tab.
- Select the view for which you want to create a key pair and certificate from the Key Storage Views.
- In the View Entries tab, choose Create.
The New Entry dialog appears.
- In Step 1, define the basic settings of the new entry.
- In the Entry Name field, specify a name for the certificate.
- Select the certificate algorithm in Algorithm, for example, RSA (Rivest, Shamir, Adleman) or DSA (Digital Signature Algorithm).
- Choose the certificate key length in Key Length.
- Specify the certificate validity period in the Valid From and Valid To fields.
Enter the values using the format mm/dd/yyyy.
- If you want to have a copy of the new certificate as a separate keystore entry next to the new key pair in the key storage, select Store Certificate.
- In Step 2, specify the properties of the Subject field for the certificate. If no property has value, the Subject Alternative Name extension will be denoted as critical.
- In Step 3, specify the properties of the Subject Alternative Name extension of the certificate. If at least one property of the Subject has a value, the Subject Alternative Name extension will be denoted as non-critical.
- Add the directory name properties. You can also use the Move Up and Move Down buttons to sort the properties.
- Add all other subject alternative name properties and choose Next.
- Add the directory name properties. You can also use the Move Up and Move Down buttons to sort the properties.
- In Step 4, sign the new entry with a key pair and choose the signature hashing algorithm for the certificate. This step is optional.
If you create a self-signed certificate, then specify hashing algorithm for the certificate signature in the Signature Hashing Algorithm menu. If you specify a signing CA , the hashing algorithm will be used from the CA certificate.
Choose Next.
- In Step 5, preview your settings.
Result
A progress bar indicates the generation of the key pair and certificate. Once generated, they are displayed on the View Entries list.
Your Feedback
Your feedback on this configuration is appreciated. Please tell us if:
- You can intuitively use this functionality, and what we can improve on its usability.
- The newly added SAN support for the certificate generation solves your previous issues.
- You need other certificate generation features that will improve your daily work.
Hi Nikola,
I'm really happy to see this ability to set the SAN attribute directly without going out to SAPGENPSE come into play, but it seems there's an issue with having it denoted as "non-critical" in the key pair. When I submit that to my CA, the signed certificate I get back does not have the SAN attribute present, which of course means the cert is useless with Chrome browsers.
I've tried several different mechanisms to get this to work, including leaving all the Subject fields blank, but when I submit that to the CA, it tells me there's a critical error in the CSR and won't sign it. In short, at least one Subject field has to be populated, but this results in the Subject Alternative Name fields being ignored.
Is there any way to have both, yet still have the SAN attributes denoted "critical"?
In the meantime, I guess it's back to SAPGENPSE...
Cheers,
Matt
Hello Matt,
Thank you for the feedback!
The reason why we have implemented the extension as "non-critical" while the Subject field is populated is explained in https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6
On the other hand, you are right regarding the CSR request and SAN attribute not being included in it. We are working on improving this and we will add a new comment when it is ready.
Thanks again for helping us improve our product!
Best regards,
Vaska