Bug ID 568765: CSR administrative Email attribute and Certificate Subject’s DN Email address

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
13.0.0

Opened: Jan 19, 2016
Severity: 3-Major

Symptoms

The Email address entered in the GUI is also there in generated CSR certificate subject DN email address(without associated SAN rfc822name), thus generated CSR is not RFC5280 conforming. And there is no way to use different email for CSR administrative email address and certificate subject DN email address.

Impact

GUI generates non RFC5280 conforming CSR.

Conditions

CSR generated though GUI by providing Email address is not RFC5280 conforming.

Workaround

Email address field in GUI can only be used for certificate subjects DN email address and when entered also enter rfc822name in subject alternative field. Example: If "test@test.com" entered in 'Email Address' field, then also include "email:test@test.com" in 'Subject Alternative Name' field.

Fix Information

Should be able enter different email in certificate properties (SAN/subject), administrative email of the CSR and generated CSR is RFC5280 conforming

Behavior Change