On Mon, Aug 15, 2016 at 03:58:40PM +0200, Petr Spacek wrote: > On 15.8.2016 15:54, Fraser Tweedale wrote: > > On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote: > >> On 15.8.2016 15:16, Fraser Tweedale wrote: > >>> On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote: > >>>> On 2.8.2016 05:57, Fraser Tweedale wrote: > >>>>>>> Hah! This is what I get for thinking I know what the output has to > >>>>>>> look > >>>>>>> like, and not testing all the way through to requesting the cert. I'll > >>>>>>> change the profile to generate a subject with CN= instead of UID=. > >>>>>>> Updated > >>>>>>> patch is attached. Unfortunately these rules are only updated at > >>>>>>> ipa-server-install time, so if you'd like to fix it without > >>>>>>> reinstalling: > >>>>>>> > >>>>> (Tangential commentary...) Yeah, currently cert-request demands the > >>>>> CN. There is a design to relax the requirement to handle empty > >>>>> subject names (look at SAN only). IMO it would make sense to accept > >>>>> other "obvious" mappings in Subject DN like accepting UID instead of > >>>>> CN for user subjects, but that would be a separate RFE. Noone has > >>>>> actually asked for it yet :) > >>>> > >>>> Side-note: > >>>> I thought that subject format is enforced by certificate profile on > >>>> server. > >>>> Am I wrong? > >>>> > >>> You are right - what I suggested above would (today) require a > >>> custom profile. > >> > >> Sooo... > >> can we just relax existing profiles not to require CN= but accept SAN-only > >> CSRs? > >> > >> :-) > >> > > That is absolutely going to happen as part of > > http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance :) > > Good! > > Is it still targeting 4.4.x? > It's not going to make it.
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code