000013778 - Certificate requests made through OneStep fail if Common Name (CN) attribute value contains a comma

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013778
Applies ToRSA Certificate Manager 6.8
RSA Certificate Manager OneStep 6.8
RSA Keon Certificate Authority 6.5.1
RSA Keon Certificate Authority OneStep 6.5.1
IssueCertificate requests made through OneStep fail if Common Name (CN) attribute value contains a comma
Cause

Common Name (CN) value containing comma was part of the value constructed for KCSOSD_CERTDN.  Any commas (,) or equal signs (=) must be escaped as , and = respectively if any of the attribute values contain those characters. Commas delimit attribute type/value pairs and equal signs separate the type and value in the cert DN (KCSOSD_CERTDN).

A bug was fixed in OneStep/KCA 6.5.1 build 256 (and the fix also included in 6.8) that results in OneStep failing to process requests with un-escaped comma in an attribute value (in KCSOSD_CERTDN).  The fix was made to avoid JavaScript errors on the RCM/KCA admin interface when viewing such requests or certificates.  So, a request with un-escaped comma processed via OneStep CGI from any version prior to 6.5.1 build 256 would not fail; however, it may result in JavaScript issues on admin console.

Resolution

Update OneStep plugin to properly escape/replace any commas or equal signs present in attribute values with , or = respectively

WorkaroundUpgraded RSA Keon Certificate Authority (KCA) 6.5.1 to RSA Certificate Manager (RCM) 6.8, and accordingly recompiled custom OneStep plugin with OneStep 6.8 API to use with OneStep 6.8 CGI
Notes

RSA Certificate Manager OneStep 6.8 Developer's Guide, page 32, instructs to escape commas (,) and equal signs (=) with &comma and &equals respectively.  Note that the correct values for escaping commas and equal signs are , and = (notice the semi-colons at the end of the escape strings).

Legacy Article IDa42331

Attachments

    Outcomes