2.7. Using the CN Attribute in the SAN Extension

Several client applications and libraries no longer support using the Common Name (CN) attribute of the Subject DN for domain name validation, which has been deprecated in RFC 2818. Instead, these applications and libraries use the dNSName Subject Alternative Name (SAN) value in the certificate request.
Certificate System copies the CN only if it matches the preferred name syntax according to RFC 1034 Section 3.5 and has more than one component. Additionally, existing SAN values are preserved. For example, the dNSName value based on the CN is appended to existing SANs.
To configure Certificate System to automatically use the CN attribute in the SAN extension, edit the certificate profile used to issue the certificates. For example:
  1. Disable the profile:
    # pki -d ~/.dogtag/nssdb/ -c password -p 8080 \
         -n "PKI Administrator for example.com" ca-profile-disable profile_name
  2. Edit the profile:
    # pki -d ~/.dogtag/nssdb/ -c password -p 8080 \
         -n "PKI Administrator for example.com" ca-profile-edit profile_name
    1. Add the following configuration with a unique set number for the profile. For example:
      policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
      policyset.serverCertSet.12.constraint.name=No Constraint
      policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
      policyset.serverCertSet.12.default.name=Copy Common Name to Subject
      The previous example uses 12 as the set number.
    2. Append the new policy set number to the policyset.userCertSet.list parameter. For example:
      policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,12
    3. Save the profile.
  3. Enable the profile:
    # pki -d ~/.dogtag/nssdb/ -c password -p 8080 \
         -n "PKI Administrator for example.com" ca-profile-enable profile_name