On Пан, 04 ліс 2024, Alexey Filimonov via FreeIPA-users wrote:
Well, I want to add SAN::UPN (as LDAP's krbPrincipalName), SAN::DN (as in LDAP, `fqdn=...,cn=computers,...) and SAN::UUID (as in LDAP's ipaUniqueID) to issue many short-living certs for workstations that don't get written to userCertificates.
Any reason why those clients couldn't use ACME service? What's so specific for them to ask for these certificates with particular properties you defined?
Currently I found that UPN value is provided from host in CSR, and DN and ipaUniqueID are not provided at all. Are those values MUST be provided in CSR generated on host side, or FreeIPA or DogTag can fill them by themselves? Is it possible to make DogTag to get those props from LDAP? I found the `DomainController.cfg` profile which has genericInputImpl which, I assume stands for some king of "generic input" and nsTokenUserKeySubjectNameDefaultImpl which has something about ldap . And I didn't find anything related CSR validation in IPA the code, please point me. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
