Certificate Management Protocol (CMP) request values are being overridden by KCA jurisdiction settings

3 years ago

Originally Published: 2004-03-16

Article Number

000061347

Applies To

Keon Certificate Authority 6.5.1
Microsoft Windows 2000 Server

Issue

Certificate Management Protocol (CMP) request values are being overridden by KCA jurisdiction settings
RDN values in the Certificate Management Protocol (CMP) certificate request are ignored
V3 extension requests in the Certificate Management Protocol (CMP) certificate request are ignored

Cause

Keon CA and Certificate Management Protocol (CMP) are working as designed. The purpose of "enforce DN" and "enforce Profile" is to enforce the DN and profile on all certificates issued through that Jurisdiction. Any certificate requests that do not conform to those definitions will have their requested DN/extensions ignored, and the certificate will be issued according to the enforced configuration.

Resolution

Some suggested solutions to this issue:

1. If you do not wish the DN and extension profile to be enforced, uncheck the checkboxes from the Jurisdiction configuration.

2. Create a customer extension profile and add the Subject Alternative Name extension to the Basic PKIX EE extension profile (note that issued certificates will also contain the other extensions in this profile). Also, add the OU attribute to the required attributes in the Jurisdiction configuration.

3. If you do not want to change this Jurisdiction configuration because it is required for other (non-CMP) certificates, create a new Jurisdiction with the desired configuration for CMP requests (a CA may have multiple Jurisdictions).

Workaround

A certificate request is submitted via Certificate Management Protocol (CMP)

Don't see what you're looking for?

Related Articles

Trending Articles