Systems Management General

@MK1024 , As @DELL-Joey C mentioned OMSA CSR does not support SAN field. Another option is to create keypair and certificate outside OMSA with SAN field and upload the certificate with key to OMSA using PKCS12 format file.

Thanks for the suggestion.  That sounds like a ton of extra work. Updating OMSA to include the SAN attribute would probably be very easy.  I bet I could get it done in half a day if I were on that team.

Do you have any tips on how to do this, or a link to an article that demonstrates?  I previously used certreq.exe to generate certs for UBNT equipment.  That's not working with OMSA.  It displays a generic "HTTP Status 403 - Forbidden" error when I try to import the cert.

Hello MK1024 ,

Since this is new feature in this release I will have to do some checking and let you know what I find.

Initially I would recommend make sure to clear browser cache and try other browsers.

Are you getting the correct format back?

x.509 Certificate Management page 35 : https://dell.to/3ARi6Kx

 Import certificate chain — Allows you to import the certificate chain (in PKCS#7 format) signed by a trusted CA

Hello MK1024 ,

I see the last line on the OMSA certificate signing request, has the Subject Alternative Name field (see image).

If it's missing it could be you did an in place upgrade which does not mess with the webserver attributes.

I don't know if it would be missing that specific setting, but it may.

Uninstall/reinstall or deleting the apache-tomcat folder and running a repair should fix that.

Charles,

That option that you show creates a self-signed ceritifcate.  Self signed certificates will produce certificare warnings from all browsers.  The function that needs the SAN attribute added is "Certificate Signing Request (CSR).  The CSR can be submitted to an internal CA to get back a signed certificate that corporate browsers will accept.