On Thu, Mar 31, 2022 at 09:14:39PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote: > > Hi FreeiPA users, > > > > I'm having great fun with a web app that hates the othername/ NT Principal > > name included with certificates generated with ipa-getcert. > > > > I've tried several variations but can't omit this part of the subject > > alternative name. Is there any way to do so? > > You may add a separate certificate profile that omits the principal and > allow issuing with this profile. The check for the Kerberos principal is > a part of the issuance process before the certificate request is passed > to the CA for actual signing. Once signed, content of the certificate is > not validated anymore. > > See Fraser's blog like this one: > https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html > for some examples. > Hi David,
+Rob Actually, a custom profile won't help. cert-request command validates the SAN extension, but cannot alter it (e.g. to remove the UPN value). So, you need to submit a CSR that does not have the UPN otherName value. Unfortunately, that is not possible via Certmonger. The logic goes like this: - `ipa getcert-request` requires the `--principal` option to specify the subject principal - The certmonger-ipa-submit(8) submission helper sets this argument using the value of the CERTMONGER_REQ_PRINCIPAL environment variable (src/ipa.c ~L768) - The certmonger code that invokes the submission helper sets that environment variable from the requests `template_principal` field, if set (src/submit-e.c ~L863) - If the `template_principal` field is set (as it must be for the IPA CA per above premises), the CSR will also include the KRB5PrincipalName and UPN otherName values in the SAN extension. The only workaround I see is to not use Certmonger in this case. The proper solution is to fix whatever program is complaining about the certificate. Are you able to say what program it is? Can you file a support/change request? It would be possible to enhance Certmonger to know the principal to tell it to `ipa cert-request` *without* also setting the KRB5PrincipalName and UPN otherNames. But it's a non-trivial change to handle a possibly non-conforming verifier implementation. I would not count on it happening. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure