000021641 - Problem enrolling for a certificate in RSA Keon Certificate Authority with special characters using Microsoft Internet Explorer 6 SP1

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021641
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server
Microsoft Internet Explorer 6.0
Sun Solaris
IssueProblem enrolling for a certificate in RSA Keon Certificate Authority with special characters using Microsoft Internet Explorer 6 SP1
When trying to enroll for a certificate through Microsoft Internet Explorer 6 SP1 with the underscore symbol in Common Name field (e.g. John_Smith), the following error appears as a Windows dialog box:

"Your browser is unable to generate requests containing certain special characters. Please ensure that none of your input values contain any of the characters listed below, then try submitting your request again. Name, Organization Unit, Organization, Locality, State/Province, Country: <>~!@#$^&*| "
CauseRSA Keon Certificate Authority will, by default, encode the Common Name, Organizational Unit, Organization, Locality, State, and Country DN attributes as PrintableStrings. The only characters allowed under PrintableString are the following:

A-Z, a-z, 0-9, space \ ( ) + , - . / : = ?

In this instance, the underscore character is not valid, and KCA will not allow you to enroll for the certificate.
Resolution

It is possible to allow the creation of a certificate request with special characters. To do this, the Jurisdiction used to sign the request must be configured to encode with UTF8 String, and the Web page template used for IE enrollment must also be edited.

NOTE: Because the validity check is done at the browser level on IE only, if you are using Netscape or Mozilla (where the entries are not validated), you must be sure you've set all encoding to UTF8_STRING_ONLY. If this is not done, KCA will still sign the requests encoded with the default PrintableString, and the resulting certificates may be invalid.

Change Certificate Encoding

To change the encoding type for the certificate, go to your KCA Admin Interface and choose
the Certificate Operations Workbench:

    - Select the CA you are using for end user requests
    - Scroll down and click on the Configure button with the correct Jurisdiction selected
    - From the Sections drop-down select "Certificate Attributes"
    - At the bottom of the page set the "Encoding" to "UTF8_STRING_ONLY"
    - Click on Save to save the configuration

Change which characters are allowed in the request DN on IE

In this instance, we will allow the use of underscores. N
avigate to the KCA installation directory using explorer on windows or a command prompt:

    - Under RSA_KeonCA\Webserver\x-template and make a backup copy of x-enroll-msie-dn-script.xuda
    - O
pen the file x-enroll-msie-dn-script.xuda with a text editor
    - Search for the first instance of 'regExpTest'. This is the functions which validates entered data.
    - The line above that function should contain a regular expression which KCA should use for validation purposes:

        var regExp1 = new RegExp( "\[\042\]" );
        var RegExp = new RegExp( "\[<>\047\042~!@#$^&*|\134;+\_]" );
        function regExpTest(re, str)
        {
                 if (re.test(str))
                 return true;
                 else
                 return false;
         }

To enable underscores in the certificate request we have to modify the line shown below:

       
var RegExp = new RegExp( "\[<>\047\042~!@#$^&*|\134;+\_]" );

and remove the underscore character so the line becomes as follows:

        var RegExp = new RegExp( "\[<>\047\042~!@#$^&*|\134;+\]" );

Save the file and restart the KCA.

NOTE: The above function is for MSIE only. This enforcement is not done for other browsers.

Legacy Article IDa24090

Attachments

    Outcomes