|Applies To||Keon Certificate Authority 6.5.1|
Microsoft Windows 2000 Server
|Issue||Certificate Management Protocol (CMP) request values are being overridden by KCA jurisdiction settings|
RDN values in the Certificate Management Protocol (CMP) certificate request are ignored
V3 extension requests in the Certificate Management Protocol (CMP) certificate request are ignored
|Cause||Keon CA and Certificate Management Protocol (CMP) are working as designed. The purpose of "enforce DN" and "enforce Profile" is to enforce the DN and profile on all certificates issued through that Jurisdiction. Any certificate requests that do not conform to those definitions will have their requested DN/extensions ignored, and the certificate will be issued according to the enforced configuration.|
|Resolution||Some suggested solutions to this issue:|
1. If you do not wish the DN and extension profile to be enforced, uncheck the checkboxes from the Jurisdiction configuration.
2. Create a customer extension profile and add the Subject Alternative Name extension to the Basic PKIX EE extension profile (note that issued certificates will also contain the other extensions in this profile). Also, add the OU attribute to the required attributes in the Jurisdiction configuration.
3. If you do not want to change this Jurisdiction configuration because it is required for other (non-CMP) certificates, create a new Jurisdiction with the desired configuration for CMP requests (a CA may have multiple Jurisdictions).
|Workaround||A certificate request is submitted via Certificate Management Protocol (CMP)|
|Legacy Article ID||a20808|