This article shows how to specify the basic data for the certificate to be issued by the certification body for SCEP in IGEL OS.
Menu path: Network > SCEP Client (NDES) > Certificate
Type of CommonName/SubjectAltName
The characteristic for linking the certificate to the device.
IP address: The IP address of the device.
DNS name: The DNS name of the device. (Default)
IP address (auto): The IP address of the device (inserted automatically).
DNS name (auto): The DNS name of the device (inserted automatically).
Email address: An email address.
DNS name as UPN (auto)
If the client automatically obtains its network name, DNS name (auto) is a good type for the client certificate.
If you use DNS name (auto) and the hostname gets changed, the network authentication will usually continue to function using the certificate with the old hostname. This can later lead to client certificate renewal failure, with the notification: "Renewal of client certificate failed - subject has changed OLDNAME > NEWNAME
". You can change the behavior through the network.scepclient.cert%.hostname_change_handling registry key. For details and troubleshooting, see Troubleshooting: SCEP Certificate Renewal Failure due to Hostname Change.
CommonName/SubjectAltName
The parameter is available if Type of CommonName/SubjectAltName is set to IP address, DNS name, or Email address. Give a designation which matches the Type of CommonName/SubjectAltName.
CommonName/SubjectAltName Suffix
The parameter is available if Type of CommonName/SubjectAltName is set to IP address (auto), DNS name (auto), or DNS name as UPN (auto). Specifies a suffix that will be added to CommonName/SubjectAltName.
Possible values:
None: No suffix will be added.
Dot + DNS domain (auto): The system's current DNS domain name separated with a dot will be added. Example:
.igel.local
Free text entry: The manually entered suffix will be added. Take notice that the percent symbol "%" is used for introducing the escape sequence, and thus the following replacements take place automatically:
%
D
is replaced by the system's DNS domain name at the time the certificate signing request (CSR) is created. Example: @%D
will be changed into @igel.de
if the system's current DNS domain name isigel.de
.%% will be replaced by %. Example:
A
%%B
will be changed intoA
%B
.Other combinations with % are currently discarded. Example:
A
%BC
will be changed intoA
C
.
If you have to specify the suffix manually, make sure you enter the separator.
Organizational unit
Stipulated by the certification authority
Organization
A freely definable designation for the organization to which the client belongs
Locality
Details regarding the device’s locality. Example: "Augsburg".
State
Details regarding the device’s locality. Example: "Bayern".
Country
Two-digit ISO 3166-1 country code. Example: "DE".
RSA key length (bits)
Defines the key length (one suited to the certification authority) for the certificate that is to be issued.
Possible values:
1024
2048
4096