On 15.8.2016 15:54, Fraser Tweedale wrote:
> On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote:
>> On 15.8.2016 15:16, Fraser Tweedale wrote:
>>> On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote:
>>>> On 2.8.2016 05:57, Fraser Tweedale wrote:
>>>>>>> Hah! This is what I get for thinking I know what the output has to look
>>>>>>> like, and not testing all the way through to requesting the cert. I'll
>>>>>>> change the profile to generate a subject with CN= instead of UID=. 
>>>>>>> Updated
>>>>>>> patch is attached. Unfortunately these rules are only updated at
>>>>>>> ipa-server-install time, so if you'd like to fix it without 
>>>>>>> reinstalling:
>>>>>>>
>>>>> (Tangential commentary...) Yeah, currently cert-request demands the
>>>>> CN.  There is a design to relax the requirement to handle empty
>>>>> subject names (look at SAN only).  IMO it would make sense to accept
>>>>> other "obvious" mappings in Subject DN like accepting UID instead of
>>>>> CN for user subjects, but that would be a separate RFE.  Noone has
>>>>> actually asked for it yet :)
>>>>
>>>> Side-note:
>>>> I thought that subject format is enforced by certificate profile on server.
>>>> Am I wrong?
>>>>
>>> You are right - what I suggested above would (today) require a
>>> custom profile.
>>
>> Sooo...
>> can we just relax existing profiles not to require CN= but accept SAN-only 
>> CSRs?
>>
>> :-)
>>
> That is absolutely going to happen as part of
> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance :)

Good!

Is it still targeting 4.4.x?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to