CSS11503 w/SSL Module Not Including DN List For CA

Unanswered Question
Feb 24th, 2009
User Badges:

We have noticed that, after implementing SSL support through CSS11503 w/SSL Module (moving from Apache 2.2.6 with ssl_mod), the 'certificate request' message sent by the server to the client during SSL Handshake phase does not include a list of Distinguished Names (DN) for the CA. With the previous implementation, using Apache, we saw that the server was sending this list.

Normally this allows the client browser to automatically identify suitable client certificates and present only the relevant certificates to the client. Now all certificates found on the client machine are being presented for selection. This results in a different user experience and confusion.

Has anybody come across this issue before and is there any way to ensure that the DN list is included using CSS module?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Gilles Dufour Tue, 03/03/2009 - 03:16
User Badges:
  • Cisco Employee,


DistinguishedName not used in certificate request

Close comment:

This enhancement will not be done on the CSS11500 product line and other Cisco

load balancers should be considered.


Brendan O'Flynn Fri, 03/06/2009 - 11:39
User Badges:

Hi Gilles,

Thanks for that information. I will investigate the other load balancing product lines for a suitable solution.



This Discussion