Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

william_lai

6 Posts

1069

March 19th, 2010 23:00

Change common name in cert to match dns name

by default ecc KeyManagementUtility generate the CN using the host shortname (e.g. MYECC01), is there a way to force it to use FQDN (e.g. MYECC01.domain.name)?

[2010.03.20 14:24:50 main KeyManagementUtility]

        (INFO) Initialization completed

[2010.03.20 14:24:50 main KeyManagementUtility]

        (INFO) The KeyManagementUtility is called with the following options:

        -generate [-trust] [-override] [-silent]

Initializing Lockbox in:D:\ECC\lockbox\KMSSERVER.lb

[2010.03.20 14:24:52 main KeyManagementUtility]

        (INFO) The PUBLIC_KEY_ROOT keys exist

Country: US   Organization: EMC   Organizational Unit:  ControlCenter - ROOT   Common name: MYECC01

Getting root private key to sign a cert

[2010.03.20 14:24:56 main KeyManagementUtility]

        (INFO)

*********************************************************

*                                                       *

*       YOU HAVE SUCCESSFULLY  RE-GENERATED THE         *

*       TRUST CERTIFICATE.                              *

*                                                       *

*       IF YOU WERE USING ControlCenter IN SECURE MODE  *

*       THEN TO CONTINUE USING CONTROL CENTER YOU HAVE  *

*       TO RESTART ALL CONTROL CENTER COMPONENTS        *

*                                                       *

*********************************************************

youngp2

90 Posts

July 7th, 2010 10:00

Hi William

     I was able to get an engineer to explain the current situation quite well.

     In Infrastructure components, the ECC certificate has CN as just hostname, not FQDN. Entire FQDN is of 255 character length as per RFC standards and as the CN length is 64 character, we are using hostname instead of FQDN to avoid exceeding 64 length,

But generally FQDN does not exceed 64 char length.That's why we are planning to change CN logic in UB9 to use the FQDN for the Subject common name and fall back to just hostname only if the FQDN exceeds 64 characters.

So unfortunatly there is no way to force the full name at this time, however it is a issue that the developers are aware of and plan to resolve in the next release.

Regards,

Paul Young

EMC Global Services

youngp2

90 Posts

July 2nd, 2010 12:00

Hello

     This is a very interesting question and I plan on consulting with some of our SSL experts.  I have a feeling this will be very hard to change though so I was wondering what your reasoning was so that we might be able to think of a workaround.  Do you have a number of hosts on different domains with the same short name that you are concerned about.

Regards,

Paul Young

EMC Global Services

william_lai

6 Posts

July 6th, 2010 18:00

Hi,

Thank you for reply my question.

Yes, we do have hosts in different dns domain.

Regards

William

Was this post helpful?

View All

No Events found!

Top