Project

General

Profile

Actions

Bug #8381

closed

Cert manager requires fields that aren't necessary

Added by Justin Coffman about 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
03/19/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Attempting to generate a CA or certificate via the cert management tool in the web GUI yields the following error:

"The field Distinguished name Email Address is required."

The emailAddress field is not required in any X.509v3-compliant certificate, unless that certificate is intended for use as an email signing certificate. According to RFC 5280, only a certificate intended to authenticate an email address (such as an email signing certificate) should include an email address at all, and even then, it must be done as an RFC822Name entry under the Subject Alternative Name extension.

Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities. Simultaneous inclusion of the emailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.

In fact, the ONLY attribute that is mandatory for the DistinguishedName field in a certificate is the CommonName attribute. All other attributes should be made optional in the web GUI.

Actions

Also available in: Atom PDF