On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote:
Hi FreeiPA users,
I'm having great fun with a web app that hates the othername/ NT Principal
name included with certificates generated with ipa-getcert.
I've tried several variations but can't omit this part of the subject
alternative name. Is there any way to do so?
You may add a separate certificate profile that omits the principal and
allow issuing with this profile. The check for the Kerberos principal is
a part of the issuance process before the certificate request is passed
to the CA for actual signing. Once signed, content of the certificate is
not validated anymore.
See Fraser's blog like this one:
https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html
for some examples.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
