Document toolboxDocument toolbox

(12.5.0-en) Certificate

This article shows how to specify the basic data for the certificate to be issued by the certification body for SCEP in IGEL OS.


Menu path: Network > SCEP Client (NDES) > Certificate

Type of CommonName/SubjectAltName

The characteristic for linking the certificate to the device.

  • IP address: The IP address of the device.

  • DNS name: The DNS name of the device. (Default)

  • IP address (auto): The IP address of the device (inserted automatically).

  • DNS name (auto): The DNS name of the device (inserted automatically).

  • Email address: An email address.

  • DNS name as UPN (auto)

If the client automatically obtains its network name, DNS name (auto) is a good type for the client certificate. 

 

If you use DNS name (auto) and the hostname gets changed, the network authentication will usually continue to function using the certificate with the old hostname. This can later lead to client certificate renewal failure, with the notification: "Renewal of client certificate failed - subject has changed OLDNAME > NEWNAME". You can change the behavior through the network.scepclient.cert%.hostname_change_handling registry key. For details and troubleshooting, see Troubleshooting: SCEP Certificate Renewal Failure due to Hostname Change.

 

CommonName/SubjectAltName

The parameter is available if  Type of CommonName/SubjectAltName  is set to  IP address,  DNS name, or  Email address. Give a designation which matches the  Type of CommonName/SubjectAltName. 

 

CommonName/SubjectAltName Suffix

The parameter is available if  Type of CommonName/SubjectAltName  is set to  IP address (auto),  DNS name (auto), or  DNS name as UPN (auto). Specifies a suffix that will be added to CommonName/SubjectAltName.
Possible values:

  • None: No suffix will be added.

  • Dot + DNS domain (auto): The system's current DNS domain name separated with a dot will be added. Example:  .igel.local

  • Free text entry: The manually entered suffix will be added. Take notice that the percent symbol "%"  is used for introducing the escape sequence, and thus the following replacements take place automatically:

    • % D  is replaced by the system's DNS domain name at the time the  certificate signing request  (CSR) is created. Example:  @% D  will be changed into  @ igel.deif the system's current DNS domain name is  igel.de.

    • %%  will be replaced by  %. Example:  A %% B will be changed into  A % B.

    • Other combinations with  %  are currently discarded. Example:  A % BC will be changed into  A C.

If you have to specify the suffix manually, make sure you enter the separator.


Organizational unit

Stipulated by the certification authority

 

Organization

A freely definable designation for the organization to which the client belongs

 

Locality

Details regarding the device’s locality. Example: "Augsburg".

 

State

Details regarding the device’s locality. Example: "Bayern".

 

Country

Two-digit ISO 3166-1 country code. Example: "DE".

 

RSA key length (bits)

Defines the key length (one suited to the certification authority) for the certificate that is to be issued.
Possible values:

  • 1024

  • 2048

  • 4096

Â