Certificate
This article shows how to specify the basic data for the certificate to be issued by the certification body for SCEP in IGEL OS. Here you can set the data for the Certificate Signing Request (CSR).
Menu path: Network > SCEP Client (NDES) > Certificate
Type of CommonName/SubjectAltName
The characteristic for linking the certificate to the device.
IP address: The IP address of the device.
DNS name: The DNS name of the device. (Default)
If the client automatically obtains its network name, DNS name (auto) is a good type for the client certificate.
IP address (auto): The IP address of the device (inserted automatically).
DNS name (auto): The DNS name of the device (inserted automatically).
If you use DNS name (auto) and the hostname gets changed, the network authentication will usually continue to function using the certificate with the old hostname. This can later lead to client certificate renewal failure, with the notification: "Renewal of client certificate failed - subject has changed OLDNAME > NEWNAME". You can change the behavior through the network.scepclient.cert%.hostname_change_handling registry key. For details and troubleshooting, see Troubleshooting: SCEP Certificate Renewal Failure due to Hostname Change.
Email address: An email address.
DNS name as UPN (auto)
UPN (Microsoft User Principal Name)
CommonName/SubjectAltName
The parameter is available if Type of CommonName/SubjectAltName is set to IP address, DNS name, UPN, or Email address. Give a designation that matches the Type of CommonName/SubjectAltName. For certain types, this occurs automatically. No entry is then required.
CommonName/SubjectAltName Suffix
The parameter is available if Type of CommonName/SubjectAltName is set to IP address (auto), DNS name (auto), or DNS name as UPN (auto). Specifies a suffix that will be added to CommonName/SubjectAltName.
Possible values:
None: No suffix will be added.
Dot + DNS domain (auto): The system's current DNS domain name, separated with a dot, will be added. Example:
.igel.localFree text entry: The manually entered suffix will be added. Take notice that the percent symbol "%" is used for introducing the escape sequence, and thus the following replacements take place automatically:
%
Dis replaced by the system's DNS domain name at the time the certificate signing request (CSR) is created. Example: @%Dwill be changed into @igel.deif the system's current DNS domain name isigel.de.%% will be replaced by %. Example:
A%%Bwill be changed intoA%B.Other combinations with % are currently discarded. Example:
A%BCwill be changed intoAC.
If you have to specify the suffix manually, make sure you enter the separator.
You can configure 4 additional Subject Alternative Names (SANs) in the Certificate Signing Request (CSR) using the following registry keys:
CommonName/SubjectAltName (+N)
| Registry | network.scepclient.cert%.subjectaltname_otherN |
Type of CommonName/SubjectAltName (+N)
| Registry | network.scepclient.cert%.subjectaltname_otherN_type |
CommonName/SubjectAltName Suffix (+N)
| Registry | network.scepclient.cert%.subjectaltname_otherN_suffix |
N refers to a slot number in the range {1, 2, 3 ,4}. The slot is ignored if network.scepclient.cert%.subjectaltname_otherN_type is set to none.
Organizational unit
Stipulated by the certification authority
Organization
A freely definable designation for the organization to which the client belongs
Locality
Details regarding the device’s locality. Example: "Augsburg".
State
Details regarding the device’s locality. Example: "Bayern".
Country
Two-digit ISO 3166-1 country code. Example: "DE".
RSA key length (bits)
Defines the key length (one suited to the certification authority) for the certificate that is to be issued.
Possible values:
1024
2048
4096
The RSA key length specified here must not be lower than the minimum key length configured on the server.