On 06/28/2016 12:23 PM, Fraser Tweedale wrote:
> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote:
>> Hi Fraser,
>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA:
>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG
>> Then I set up ACL and generated a certificate request by:
>> $ certutil -R -d . -a -g 2048 -s
>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 
>> 'ipa.demo1.freeipa.org'
>> The resulting certificate is attached. What I pondering about is
>>         Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority
>>         ...
>>         Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org
>> Shouldn't the subject have O=VPN in it also?
> Hi Martin,
> (Cc freeipa-devel@ ; this info may be of general interest)
> The subject is determined by the certificate profile.  In the case
> of caIPAserviceCert, the pattern is:
>     CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
> The CN comes from the CSR, and the Organisation is the IPA
> certificate subject base (as a literal string in the profile
> configuration).
> There are no substitution variables available to say "use such and
> such from the issuer DN".  If the default pattern is not suitable,
> you can define a profile with the subject DN pattern having exactly
> the O=... parts of DN you want (and/or other attributes), then
> associate the profile with the CA through CA ACLs.  (This approach
> is not elegant and does not scale well to many CAs).
> Hope that my explanation is helpful.

The explanation is helpful, I just do not I like the answer :-) What do you
think would make most sense for Sub-CA users?

I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would
fill the non-CN part of issuer DN, i.e. in this case:


which would make this profile flexible and usable in any Sub-CA.

Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and
respective Dogtag release? I am just afraid that given we release this feature
in 4.4, people would have to very creative and duplicate lot of certificate
profiles for different sub-CAs just to workaround the Subject patter
limitation, as you mentioned.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to