I've been trying to set up a computer certificate for Linux to use x509 authentication, but I'm stuck. Our organization has two internal domains and two separate network domains, and we're planning to phase out one of them. Currently, one domain uses RADIUS configuration with a computer certificate while the other relies on simple VLAN configuration. The VLAN setup worked fine, but now I need to generate a computer certificate for my Linux machine.
The tricky part is signing the Certificate Signing Request (CSR) according to our Windows certificate template, as it must include the DNS name in the Subject Alternative Name (SAN). Although my CSR includes the full DNS name as intended, I keep receiving an error saying, "The DNS name is unavailable and cannot be added to the Subject Alternative Name." The computer is already added to our domain and the hostname resolves correctly. Initially, devices only use MAC authentication to add them to the domain and install policies; thereafter, they need a certificate to access the network.
Can anyone guide me or point me in the right direction? I can't modify the settings in the template, and everything is working fine for Windows computers. Perhaps I missed some crucial detail while searching for answers?
2 Answers
It sounds like you're running into a template issue. The error suggests that your CSR might not be including the SAN correctly, even if it shows up when you check. Make sure the DNS names in the CSR exactly match what your Windows template expects. If you've confirmed that, double-check the permissions on the template too; they might be preventing the SAN from being applied properly when signing. Also, it may help to recreate your CSR with a new key to see if that resolves the issue.
Make sure that the server where you're signing the CSR has access to the DNS server that resolves your FQDN. The signing process checks for DNS resolution, and if it can't resolve that name, it won't add it to the SAN. You might also want to look into your Active Directory settings. Issues there could also be blocking the proper signing of your CSR.
Thanks for the tip! I'll verify the DNS settings on the signing server to make sure everything is aligned.
Good point! Also, have you tried using the command line to generate the CSR? Sometimes GUI tools can miss details that the command line will handle correctly.