On 15.8.2016 15:16, Fraser Tweedale wrote: > On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote: >> On 2.8.2016 05:57, Fraser Tweedale wrote: >>>>> Hah! This is what I get for thinking I know what the output has to look >>>>> like, and not testing all the way through to requesting the cert. I'll >>>>> change the profile to generate a subject with CN= instead of UID=. Updated >>>>> patch is attached. Unfortunately these rules are only updated at >>>>> ipa-server-install time, so if you'd like to fix it without reinstalling: >>>>> >>> (Tangential commentary...) Yeah, currently cert-request demands the >>> CN. There is a design to relax the requirement to handle empty >>> subject names (look at SAN only). IMO it would make sense to accept >>> other "obvious" mappings in Subject DN like accepting UID instead of >>> CN for user subjects, but that would be a separate RFE. Noone has >>> actually asked for it yet :) >> >> Side-note: >> I thought that subject format is enforced by certificate profile on server. >> Am I wrong? >> > You are right - what I suggested above would (today) require a > custom profile.
Sooo... can we just relax existing profiles not to require CN= but accept SAN-only CSRs? :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code