Hi *, from the discussion so far, I realize that I've made the false assumption that the actual requirements and business cases related to the pre exisiting RFE #828866 are well understood.
To clarify the requirements, here is the core of a new RFE document that is on its way via the current customer case: 3. What is the nature and description of the request? Currently, the subject for a IPA generated CA cert is built of two components, a subject base DN (subject_base) and a static common name: 'CN=Certificate Authority'. While the subject_base is customizable via a command line option to ipa-server-install, the common name is hard coded into the installer. It is required to have the common name component of the subject DN customizable. In addition, it is required to allow an additional and optional emailAddress component prepended to the subject DN as most significant component. 4. Why does the customer need this? (List the business requirements here) The customer needs to integrate IPA into an existing chain of trust. The IPA generated CA certificate needs to be signed by an superordinate PKI. To allow the IPA CA CSR to be signed by the superordinate PKI, it needs to meet certain criteria, including a particular customer specific common name and an additional emailAddress to clearly identify the subordinate CA. The current hard coded common name does not meet the requirements and therefor makes the integration of IPA into the existing PKI impossible. This in turn leaves the Linux/Unix IT operations dependent from the superordinate PKI even in cases, where creation of service certs could perfectly be delegated to this Linux/Unix IT Ops in accordance to existing compliance rules and operational processes. 5. How would the customer like to achieve this? (List the functional requirements here) The customer would like to get options to customize the common name and add an email address to the CA cert subject upon creation with ipa-server-install --external-ca. 6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. The new feature (option) must result in a CA cert CSR with subject line like /usr/lib64/nss/unsupported-tools/pp -t cr -a -i /root/ipa.csr|grep Subject: Subject: E=caad...@example.com,CN=Custom CA Name,OU=Example IT,O=Example Corp,L=City,ST=State,C=US or openssl req -text -noout -in /root/ipa.csr |grep Subject: Subject: C=US,ST=State,L=City,O=Example Corp,OU=Example IT,CN=Custom CA Name/emailAddress=caad...@example.com This IPA CA CSR must be signable by an Active Directory PKI and that signed certificate must be usable to proceed with the IPA server installation. In particular, IPA must be able to provide and accept the canonical order of subject attributes with emailAddress as most significant attribute, like shown in the example above. 7. Is there already an existing RFE upstream or in Red Hat bugzilla? #828866 [RFE] enhance --subject option for ipa-server-install 8. Does the customer have any specific timeline dependencies? Within the next three months. On 07/07/2016 06:58 AM, Sebastian Hetze wrote: > Hi * > > attached you find a patch that adds new options --subject_cn and > --subject_mail to ipa-server-install that make the CA cert subject CN > customizable. > > This patch has been tested by a customer in a PoC. > However, i assume additional testing in different environments is required. > > It would be greatly appreciated if this patch would find its way into > the product very soon. > > Beste Grüße / Best regards > Sebastian Hetze Beste Grüße / Best regards Sebastian Hetze -- Senior Solution Architect Red Hat GmbH. Niederlassung Berlin Am Treptower Park 75 12435 Berlin Tel: +49 30 678 1798-241 . Mobil: +49 173 8914205 Fax: +49 30 678 1798-111 . E-Mail: s...@redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code