Alexey Filimonov via FreeIPA-users wrote: > I want to make a certificate profile that can issue certificates for hosts, > but I want values in certprofile be filled by FreeIPA, and not from > certificate request. > I can not understand how FreeIPA integrates with DogTag when some IPA-joined > host requests certificate with certmonger. > > In some profiles I see `$request.req_subject_name.cn$`, but I don't > understand if FreeIPA took this value from request or from ldap, did ipa > validated this CN owned by requestor or not? > > In different profiles I found there is `$request.upn$` placeholder, but it > just does not work when it's requested by certmonger. > > Is there a list of parameters FreeIPA passes to DogTag, with information > about source of those values and validation against directory? >
IPA can't modify the CSR. Via the profile the CA itself can choose to replace values in the CSR but I don't know of a way to pass in what that value should be. What value(s) did you want to replace? As for validation, yes, IPA validates the request in a number of ways: 1. If it is is a host principal making the request it ensures that the target has a managedby of the host 2. If it is not a host principal requesting a host certificate it ensures that the requesting user is allowed to request certificates at all 3. It ensures that any SAN is known by IPA 4. Users can only request certificates for themselves And probably a few others I'm forgetting. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
