OpenManage Server Administrator Managed Node (OMSA) Subject Alternative Name Missing

Hi,

Unfortunately, OMSA doesn't have the capability to support Subject Alternative Name (SAN) in the certificate. I'll create up a case for the engineer to pull the requests on it and have them review it. 

Thanks for the suggestion.  That sounds like a ton of extra work. Updating OMSA to include the SAN attribute would probably be very easy.  I bet I could get it done in half a day if I were on that team.

Not fixed in OMSA 10.1.0.0.  I can generate a self-signed certificate with a SAN, but the CSR still lacks the attribute.

Do you have any tips on how to do this, or a link to an article that demonstrates?  I previously used certreq.exe to generate certs for UBNT equipment.  That's not working with OMSA.  It displays a generic "HTTP Status 403 - Forbidden" error when I try to import the cert.

Hello MK1024 ,

Since this is new feature in this release I will have to do some checking and let you know what I find.

Initially I would recommend make sure to clear browser cache and try other browsers.

Are you getting the correct format back?

x.509 Certificate Management page 35 : https://dell.to/3ARi6Kx

 Import certificate chain — Allows you to import the certificate chain (in PKCS#7 format) signed by a trusted CA

Hello MK1024 ,

I see the last line on the OMSA certificate signing request, has the Subject Alternative Name field (see image).

If it's missing it could be you did an in place upgrade which does not mess with the webserver attributes.

I don't know if it would be missing that specific setting, but it may.

Uninstall/reinstall or deleting the apache-tomcat folder and running a repair should fix that.

Not fixed in 10.2.0.0.

Charles,

That option that you show creates a self-signed ceritifcate.  Self signed certificates will produce certificare warnings from all browsers.  The function that needs the SAN attribute added is "Certificate Signing Request (CSR).  The CSR can be submitted to an internal CA to get back a signed certificate that corporate browsers will accept.

Hi @MK1024,

Since the begin of your post, the feature is still have not been included in the new version, I would suggest that you should contact support to have a request raised. It would speed up the process as it's coming from a customer. I have been told previously that we're unsure when will the feature to be included, but a support request is raise, engineering may want to help include it soonest possible.

You're telling us that engineering is aware that the Generate CSR function is broken such that the resulting certificate fails in all modern browsers in use today, and they're not interested in fixing it because they learned about it from an employee instead of through a support request?

That's a bit dysfunctional.  I'm a software developer.  If I learn about a bug in bug code, I fix it regardless of where the bug report came from.

Hi MK1024,

I think what Joey meant is that our Social Media team already reported the issue, and our engineering team is looking into it. If you would private message Joey and I the svc tag we can submit it for you as well, which can help it forward.

Let me know.

I did open a support case.  The response I got was "The OMSA development team has confirmed that the missing SAN info in the CSR is a bug and they’re currently working to resolve it."

Hi @MK1024,

Thanks for letting us know that a call has been made. Apologies for the delay response here, as I too was waiting for an update on my social ticket. With your call to support, an engineering ticket has been created and like you mentioned they are currently working on it. I have no visibility on the engineer's timeline but hopefully it has been resolve on the next update. 

Since you have a call support case, let's monitor it and keep in contact with the case owner for updates.