From 51f6ff2073413856ce8969ddcbca5a210d008a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20B=C4=85k?= Date: Wed, 26 Nov 2025 13:36:22 +0100 Subject: [PATCH 1/2] [MTM-65209] The Common Name (CN) field in the CSR Subject must exactly match the device ID supplied during the device registration process. --- .../device-enroll-and-re-enroll.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/device-certificate-authentication/device-enroll-and-re-enroll.md b/content/device-certificate-authentication/device-enroll-and-re-enroll.md index 6a3cda4a9d..78b6ed45c5 100644 --- a/content/device-certificate-authentication/device-enroll-and-re-enroll.md +++ b/content/device-certificate-authentication/device-enroll-and-re-enroll.md @@ -34,7 +34,7 @@ On creating a new device certificate the Device enroll API is called. This trigg * The Device enroll API is used by a device to get a fresh new certificate. * If no CA is available an error occurred with message `Tenant CA certificate is either missing, expired, or has a validity of less than one year`. * If tenant's keypair is not found then an error occurred with message `Failed to retrieve tenant keypair`. -* If the request does not contain a valid [CertificateSigningRequest](https://en.wikipedia.org/wiki/Certificate_signing_request) an error will be returned. +* The Common Name (CN) field in the CSR Subject must exactly match the device ID supplied during the device registration process. If the request does not contain a valid [CertificateSigningRequest](https://en.wikipedia.org/wiki/Certificate_signing_request) an error will be returned. {{< c8y-admon-info >}} As per [EST standards](https://datatracker.ietf.org/doc/html/rfc7030#autoid-58), the certificate in response is in `PKCS7` format by default. Clients can optionally request for a `PKCS10` format by sending `Accept: application/pkcs10` in the request header. From 53ee77a43811c46a0ad641be928417a0bf273127 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20B=C4=85k?= <89777350+mbak-c8y@users.noreply.github.com> Date: Mon, 1 Dec 2025 10:49:29 +0100 Subject: [PATCH 2/2] Update content/device-certificate-authentication/device-enroll-and-re-enroll.md Co-authored-by: Beate Rixen <90445236+BeateRixen@users.noreply.github.com> --- .../device-enroll-and-re-enroll.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/device-certificate-authentication/device-enroll-and-re-enroll.md b/content/device-certificate-authentication/device-enroll-and-re-enroll.md index 78b6ed45c5..c7337e1edf 100644 --- a/content/device-certificate-authentication/device-enroll-and-re-enroll.md +++ b/content/device-certificate-authentication/device-enroll-and-re-enroll.md @@ -34,7 +34,7 @@ On creating a new device certificate the Device enroll API is called. This trigg * The Device enroll API is used by a device to get a fresh new certificate. * If no CA is available an error occurred with message `Tenant CA certificate is either missing, expired, or has a validity of less than one year`. * If tenant's keypair is not found then an error occurred with message `Failed to retrieve tenant keypair`. -* The Common Name (CN) field in the CSR Subject must exactly match the device ID supplied during the device registration process. If the request does not contain a valid [CertificateSigningRequest](https://en.wikipedia.org/wiki/Certificate_signing_request) an error will be returned. +* The Common Name (CN) field in the Certificate Signing Request (CSR) subject must exactly match the device ID supplied during the device registration process. If the request does not contain a valid [Certificate Signing Request](https://en.wikipedia.org/wiki/Certificate_signing_request) an error will be returned. {{< c8y-admon-info >}} As per [EST standards](https://datatracker.ietf.org/doc/html/rfc7030#autoid-58), the certificate in response is in `PKCS7` format by default. Clients can optionally request for a `PKCS10` format by sending `Accept: application/pkcs10` in the request header.