CSRs generated by CertMgr/CertStore do not support a mail address field

Adding ReqEmailAddress field results in a csr with a field "Mail" instead of the correct field "emailAddress". That is for example not accepted from our internal PKI. Those guys on the other hand are driven by security regulations. So the argument "You dont need the CA to send warning messages" will not have an impact in our environment whilst being totally logical. On top, we even have our own domino database to file all (including non-domino) server certificates. But we cannot submit csr's from domino CertStore. That's a big pity.

You dont need the CA to send warning messages when the cert expires. This functionality is already provided by the Domino CertManager. See Health Check section of the configuration form.

Just checked. The back-end API supports the email attribute and also the CertMgr back-end reads the field.

But at the time we decided, we don't want the field on the form. And you are the first one asking about it.

Just tested and this is already in 12.0:

You can add this field to the form: "ReqEmailAddress"

CertMgr understands the field and will include the e-mail address in the CSR.

-- Daniel

Can you explain why a server certificate should have an email address?

Can you also provide examples of public CAs requiring the email attribute?

Or is this more a customer defined workflow using this attribute to make their life easier?

I did never hear that a e-mail address is required for a server certificate.

The attribute emailAddress is usually used for the key useage emailProtection.

Is this the attribute requested?