> Any reason why those clients couldn't use ACME service? What's so
> specific for them to ask for these certificates with particular
> properties you defined?
They're not listed in DNS.
It's a EAPoL certificate for 802.1x Wired and Wireless.
The properties I want to add to certificate are ipaUniqueId and
krbPrincipalName to check on FreeRADIUS level if object with this name
and UUID exists in LDAP, kind of certificate revocation check without
storing certificates in LDAP and without using OSCP\CRLs: If computer
(laptop) was compromised (stolen) it just should be removed from
directory instead of revoking it's certificates.
On 2024-11-05 11:28, Alexander Bokovoy wrote:
On Пан, 04 ліс 2024, Alexey Filimonov via FreeIPA-users wrote:
Well, I want to add SAN::UPN (as LDAP's krbPrincipalName), SAN::DN (as
in LDAP, `fqdn=...,cn=computers,...) and SAN::UUID (as in LDAP's
ipaUniqueID) to issue many short-living certs for workstations that
don't get written to userCertificates.
Any reason why those clients couldn't use ACME service? What's so
specific for them to ask for these certificates with particular
properties you defined?
Currently I found that UPN value is provided from host in CSR, and DN
and ipaUniqueID are not provided at all.
Are those values MUST be provided in CSR generated on host side, or
FreeIPA or DogTag can fill them by themselves? Is it possible to make
DogTag to get those props from LDAP? I found the `DomainController.cfg`
profile which has genericInputImpl which, I assume stands for some king
of "generic input" and nsTokenUserKeySubjectNameDefaultImpl which has
something about ldap .
And I didn't find anything related CSR validation in IPA the code,
please point me.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
