Systems Management General

Last reply by 11-22-2022 Solved
Start a Discussion
3 Argentum
2293

OpenManage Server Administrator Managed Node (OMSA) Subject Alternative Name Missing

I open Server Administrator (9.5 - the latest version) in Chrome or Edge and get a warning that the certificate is invalid. I go to Preferences > General Settings > X.509 Certificate > Certificate Maintenance > Certificate Signing Request (CSR) and generate a CSR. I submit the CSR to the domain CA and receive a P7B file back. I load the P7B file via Preferences > General Settings > X.509 Certificate > Import a certificate chain. Then I reload Server Administrator in Chrome or Edge and get a certificate warning. Why? - Because the CSR did not include a Subject Alternative Name (SAN) attribute, and it is missing from the certificate. Both Chrome and Edge reject certificates that don't have a SAN attribute, and Firefox is planning to do the same in a future version. The SAN attribute has been required by Chrome since April 2017. Why is the version of OMSA released 5 years later not generating proper CSRs?

Solution (1)

Accepted Solutions
3 Argentum
352

This is finally resolved in OMSA 10.3.0.0.  The CSR OMSA generates results in a certificate that contains the NETBIOS name (SERVER) and the FQDN (SERVER.domain.local) in the SAN attribute.

View solution in original post

Replies (16)
1747

Hi,

 

Unfortunately, OMSA doesn't have the capability to support Subject Alternative Name (SAN) in the certificate. I'll create up a case for the engineer to pull the requests on it and have them review it. 


DELL-Joey C
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

1736

@MK1024 , As @DELL-Joey C mentioned OMSA CSR does not support SAN field. Another option is to create keypair and certificate outside OMSA with SAN field and upload the certificate with key to OMSA using PKCS12 format file.


Thanks,
DELL-Shine K
#IWork4Dell

1702

Thanks for the suggestion.  That sounds like a ton of extra work. Updating OMSA to include the SAN attribute would probably be very easy.  I bet I could get it done in half a day if I were on that team.

3 Argentum
1490

Not fixed in OMSA 10.1.0.0.  I can generate a self-signed certificate with a SAN, but the CSR still lacks the attribute.

1478

Do you have any tips on how to do this, or a link to an article that demonstrates?  I previously used certreq.exe to generate certs for UBNT equipment.  That's not working with OMSA.  It displays a generic "HTTP Status 403 - Forbidden" error when I try to import the cert.

1465

Hello MK1024 ,

 

Since this is new feature in this release I will have to do some checking and let you know what I find.

 

Initially I would recommend make sure to clear browser cache and try other browsers.

 

Are you getting the correct format back?

x.509 Certificate Management page 35 : https://dell.to/3ARi6Kx

 Import certificate chain — Allows you to import the certificate chain (in PKCS#7 format) signed by a trusted CA


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

1459

Hello MK1024 ,

 

I see the last line on the OMSA certificate signing request, has the Subject Alternative Name field (see image).

 

If it's missing it could be you did an in place upgrade which does not mess with the webserver attributes.

I don't know if it would be missing that specific setting, but it may.

Uninstall/reinstall or deleting the apache-tomcat folder and running a repair should fix that.


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

1242

Charles,

That option that you show creates a self-signed ceritifcate.  Self signed certificates will produce certificare warnings from all browsers.  The function that needs the SAN attribute added is "Certificate Signing Request (CSR).  The CSR can be submitted to an internal CA to get back a signed certificate that corporate browsers will accept.OMSA CSR.png

3 Argentum
1242

Not fixed in 10.2.0.0.

Latest Solutions
Top Contributor