Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.

For example:
# ipa-server-install --ca --subject="O=Example"

If the installed CA is dogtag then the following will happen:

1. request for CN=test.example.com will issue CN=test.example.com, O=Example
2. request for CN=test.example.com, O=Test will issue CN=test.example.com, O=Example 3. request for CN=test.example.com, O=Example will issue CN=test.example.com, O=Example

If the installed CA is selfsign then the following will happen:

1. request for CN=test.example.com will be rejected
2. request for CN=test.example.com, O=Test will be rejected
3. request for CN=test.example.com, O=Example will issue CN=test.example.com, O=Example

rob

Attachment: freeipa-351-subject.patch
Description: application/mbox

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to