Bug ID 568768: CSR attribute email and certificate Subject's DN email are not distinguished

Last Modified: Jun 18, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1

Fixed In:
13.0.0

Opened: Jan 19, 2016
Severity: 3-Major

Symptoms

The email entered when creating a CSR is used as the CSR attribute email, and the email in the certificate properties (SAN/subject).

Impact

Unable to generate a separate email attribute in the CSR as well as the certificate subject's DN email

Conditions

Creating a CSR via iControl or tmsh.

Workaround

None.

Fix Information

You can now generate a separate email attribute in the CSR as well as the certificate subject's DN email

Behavior Change

With iControl or TMSH, When CSR with Subject's DN containing an EmailAddress created then a RFC822Name SAN entry with that EmailAddress is added automatically. For iControl or TMSH, If provided SAN is not short enough(current max length is 4095 chars) to automatically add RFC822Name SAN entry, then it will throw an error saying "Certificates with Subject's DN containing an Email Address must also have a RFC822Name SAN entry with that Email Address and failed to automatically include as the length exceeded 4095 characters."