Problem issuing a certificate which just includes SAN/OtherName of type id-on-hardwareModuleName

[shunt9]

Hi

I'm trying to configure EJBCA to issue IDevID birth identities to our product at time of manufacture using the pkcs10enroll REST API. The specification that we need to comply is quite simple and states that:

• The Subject DN must be empty
• The certificates must contain a Subject Alternative Name extension containing an alternative OtherName of type of type id-on-hardwareModuleName
• The content of the id-on-hardwareModuleName uses our own enterprise OID as hwType and an octet string as the hwSerialNum

The CSRs we generate include the entire SAN as an extension request.

The problems I'm having differ depending on whether I'm using RA Web or the REST API
RA Web:

• When using RA Web to create a certificate request, I can load a CSR which includes the SAN, but the buttons to complete the request and download the certificate are all disabled in the UI
• The only way to enable the buttons is to include at least one non-empty Subject DN Attributes field or Subject Alternative Name field in the end entity profile... however I don't want this extra information included in the certificate
• As a workaround I have managed to generate a valid certificate by including a Registered Identifier Subject Alternative Name field in the profile set to the subjectAltName OID (ie 2.5.29.17)... luckily this results in just the SAN copied from the CSR being included in the certificate and doesn't include the additional registered identifier
• Is there a way to make RA web aware of the SAN in the CSR and enable the buttons without having to add additional fields to the end entity profile ?

REST API (pkcs10enroll):

• When using the REST API I can't get it to accept a request at all
• If I submit a request using a similar CSR I get a "Only empty subject alternative name is supported." unless at least one Subject Alternative Name field is included in the end entity profile
• If at least one field is included I get a "Unsupported Subject Alternate Name Field found in:HARDWAREMODULENAME=1.3.6.1.4.1.59126.1/2022100045" response
• The REST API also complains if there is a Subject CN included in the CSR when I just want the value to be ignored like RA Web does

In the Certificate Profile I have:

• Allow Extension Override selected
• Subject Alternative Name selected as critical

I have also tried using a Custom Certificate Extension for the SAN but it doesn't make any difference to how RA Web or the REST API behave.

Has anyone been successful in getting something similar to work ? Is there some critical configuration that I'm missing ? I'm particularly puzzled as to why the REST API behaves like this. I have seen similar posts and the suggestions have always been to use the extension override or custom certificate extension features.

regards
Steve

[primetomas]

In order to use "extension override" with this you need to process the message in a "client mode" fashion. That means pre-registering an end entity with say the desired subjectDN, but no SAN. Then you enroll against that end entity, and in this case the SAN from the CSR will not be tried to be processed.
The issue here is that the "pkcs10enroll" end point parses the CSR in order to create an end entity, and the end entity profile doesn't have selectable HWModuleName. If this is called from a trusted RA (which I assume since "pkcs10enroll" requires a trusted called, you can use "endentity" + "certificaterequest" end points instead it should work.

Last resort is to disable "end entity profile limitations" in system configuration, but that is not recommended as that disables policy enforcement on all end entity profiles in the system. So using "endentity" + "certificaterequest" is my recommendation.

Cheers,
Tomas

[shunt9]

@primetomas many thanks for that! I can confirm disabling "end entity profile limitations" works... I couldn't test your recommended approach as the "endentity" endpoint doesn't seem to be available in the community edition.