000025938 - Certificate Management Protocol (CMP) request values are being overridden by KCA jurisdiction settings

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025938
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server
IssueCertificate Management Protocol (CMP) request values are being overridden by KCA jurisdiction settings
RDN values in the Certificate Management Protocol (CMP) certificate request are ignored
V3 extension requests in the Certificate Management Protocol (CMP) certificate request are ignored
CauseKeon CA and Certificate Management Protocol (CMP) are working as designed. The purpose of "enforce DN" and "enforce Profile" is to enforce the DN and profile on all certificates issued through that Jurisdiction. Any certificate requests that do not conform to those definitions will have their requested DN/extensions ignored, and the certificate will be issued according to the enforced configuration.
ResolutionSome suggested solutions to this issue:

1. If you do not wish the DN and extension profile to be enforced, uncheck the checkboxes from the Jurisdiction configuration.

2. Create a customer extension profile and add the Subject Alternative Name extension to the Basic PKIX EE extension profile (note that issued certificates will also contain the other extensions in this profile). Also, add the OU attribute to the required attributes in the Jurisdiction configuration.

3. If you do not want to change this Jurisdiction configuration because it is required for other (non-CMP) certificates, create a new Jurisdiction with the desired configuration for CMP requests (a CA may have multiple Jurisdictions).
WorkaroundA certificate request is submitted via Certificate Management Protocol (CMP)
Legacy Article IDa20808

Attachments

    Outcomes