Hi, long time since I posted. It's comforting to see y'all are still
here plugging away

in Chrome 53, Google has decided that all certificates without at least
one Subject Alternative Name (SAN) are broken. So now ZCM2017 internal
certificates throw ERR_CERT_COMMON_NAME_INVALID. The reason is no SAN
name with a DNS value for servername. I see this in my test environment.

Really, I would be happy to continue using internal CA, if Novell would
patch the certificate to contain a valid SAN.

So I'm trying to install a new production server using our Active
Directory PKI as an external CA. After a good bit of fussing with
openssl I managed to produce a DER-formatted signed SSL certificate and
private key. So far so good.

The next page in the wizard asks me for "the public certificate of the
CA used to sign the server certificate. Our AD PKI uses an offline root
server and intermediate issuing CAs. So the ZCM server certificate has
a "chain" consisting of three certificates: the Root, an intermediate
and the server cert. But the zenworks install wizard will only accept
one certificate.

If I supply the root certificate, I get an error message: "The issuer of
the specified signed server certificate doesn't match the CA certificate
subject".

If I supply the intermediate cert (that actually does the signing), I
get an error message: "The certificate chain present in the External CA
Certificate file does not end with a Root CA."

I have tried with PEM, and p7b DER formatted files containing both the
root and intermediate chain. These all give the error "The issuer of
the specified signed server certificate doesn't match the CA certificate
subject".

A DER formatted chained cert with root and intermediate gives the other
error "...does not end with a root CA." I suspect the conversion to DER
might be dropping one of the certs.

Long post, but certificates are always complicated to deal with. I'm
anyway out of ideas, so any advice welcome.

Best Regards,
Phillip E. Thomas