This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
AnthonyFualdes
Occasional Contributor
Occasional Contributor
‎2017-11-08 10:35 AM

How to use SAN certificates for AM access ?

Hi,

 

My customer has try to use SAN certificate on AM to replace standard one. Importation was ok but the activation step lead to the following issue.

pastedImage_2.png

Their SAN certificate is composed of 3 DNS références including the real name of the host himself but it doesn't work

 

AM is it compliant with SAN certfificates ?

 

Thanks in advance for your help.

Have a nice day.

 

Anthony

Labels (1)
0 Likes
Reply
9 Replies
jeffshurtliff
Administrator Administrator
Administrator
‎2017-11-09 09:25 AM

Hi Anthony,

 

I have moved this thread to the RSA SecurID Suite" data-type="space so that you can get an answer to your question.

 

You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA SecurID Suite" data-type="space page.

 

securid_discussions-section.png

 

Thanks,
Jeff

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2017-11-09 12:17 PM

RSA Auth Manager console certs must be one name, the FQDN of the RSA server. No cnames, no alternates, no wildcards. It is not that we do not accept SAN certs per se, but SAN information won't work. The RSA Auth Manager Server can only be identified, or identify itself, by one name. When you change those certificates, internal components will restart and look at the cert, and it if doesn't match the RSA server name in any way, it won't start up correctly.

 

The Subject Alternative Name Field Explained

The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to EdwardDavis
‎2017-11-09 05:55 PM

The default RSA signed Certs do not have anything in this SAN field, basically for the reasons Ed explained, but 

New versions of Chrome (v.58) and FireFox check the Subject Alternate Name field, and if blank (as RSA has in AM) the browser now considers this an un-trusted site.* Details below.

 

There's an RFE in JIRA, AM-31165 - AM 8.2 Cert Signing Requests, CSRs have empty Subject Alternate Name fields, which Chrome/FF no longer trust, 
asking if we Can we add FQDN to the Subject Alternate Name, SAN field in our CSRs.

 

One option would be to replace RSA self-signed Cert with CA signed, and tell CA to include just the FQDN in the SAN field, same as in the Subject field.  This would not help quick setup.

 

* DETAILS: There is a a work-around to disable this check, but is only good for a year or until Chrome v.65 comes out
https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors
Description:
When this setting is enabled, Google Chrome will use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.
Note that this is not recommended, as this may allow bypassing the nameConstraints extension that restricts the hostnames that a given certificate can be authorized for.
If this policy is not set, or is set to false, server certificates that lack a subjectAlternativeName extension containing either a DNS name or IP address will not be trusted.

SAN_field.png

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2017-11-09 05:56 PM

Cert_SAN_field.png

Reply
AnthonyFualdes
Occasional Contributor
Occasional Contributor
In response to EdwardDavis
‎2017-11-10 08:25 AM

Many Thanks Edward for your explanations.

0 Likes
Reply
AnthonyFualdes
Occasional Contributor
Occasional Contributor
In response to JayGuillette
‎2017-11-10 08:30 AM

Thank you Jay, so if I well understood the SAN fields are only used for browser expectations and not for unique SSL certificate.

0 Likes
Reply
AnthonyFualdes
Occasional Contributor
Occasional Contributor
In response to jeffshurtliff
‎2017-11-10 08:32 AM

Thank you Jeff,

Next time, I will post my question in the right topic.

Sorry.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to AnthonyFualdes
‎2017-11-10 09:46 AM

I think so.  My first experience with SAN was what Ed described, it was used to add alternate and wildcard names to a Cert, which is common in our new SID Access Identity Router, IDR, which will host multiple web servicers with different names under one domain, e.g. https://concur.rsalab.com, https://sfrsalab.comhttps://ibot.rsalab.com - but the Authentication Manager world always shunned wildcard certs, because we were a security device and consider sharing the certificate as insecure.  So we never bothered to put anything in the SAN field.

Now 20 years later it is considered unsafe to accept a Certificate where the SAN does not match to the FQDN, so of course our empty SAN field does not match any FQDN.  So I think you are correct, the SAN is used for browser expectations, but those expectations are now becoming a security standard.

Reply
AnthonyFualdes
Occasional Contributor
Occasional Contributor
In response to JayGuillette
‎2017-11-10 11:35 AM

Thanks Jay, it's crystal clear !

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.