Hi. I’m moving my Deadline installation over to our corporate SSL certificates from a self-signed solution.
I noticed an issue when creating my own new certs that Deadline will fail to interpret the distinguished name of my PFX cert correctly. To confirm this I generated a few self-signed certs to test:
When generated from openssl my DN for a client could be: C=US,ST=California,O=MyOrganization Inc.,OU=MyOrganizationalUnit,CN=ClientName".
I create this user in mongodb using x509 authentication and confirm it’s functional and has correct permissions for Deadline by authenticating within mongo shell.
When I package up this cert as a .pfx file using either your provided SSL tool (or just the openSSL commands) and point the Deadline Client (or Deadline Monitor) I will get an error saying "unable to authenticate username: “C=US,S=California,O=MyOrganization Inc.,OU=MyOrganizationalUnit,CN=ClientName”
You’ll notice the State entry is incorrectly listed as “S” vs OpenSSL standard of “ST”. This will cause me to be unable to authenticate with using Deadline Client or Deadline Monitor.
If I create a new cert in the same exact way, but leave out the state entry, it will authenticate just fine as the rest of the naming conventions match. This was okay when I was self-signing certs as I could remove parts of the DN, but now I’m forced to use my corporate SSL certificate authority and I’m unable to remove or adjust any strings… thus leaving me SOL in moving us over.
Using other cert values I’ve found that it will also mangle a UID= as well.
Do you have any suggestions on how to proceed?
Here is a good article I read that seems to mirror some issues I’m facing.