> That's unfortunate. However, there is a bigger problem - the email address
> isn't making it into the certificate.
You'd need to modify the profile for that to happen. Dogtag will always fill
the subject according to the profile and the constraint set there.
To be honest, I have never tried to put the email address into the subject.
However, I believe this is not necessary for S/MIME to work. Do you absolutely
need the email address to appear in the subject? All of the S/MIME software I
used allowed the email address to appear in subjectAltName field and this is
something that works fine with IPA-bundled Dogtag.
However, what is important is that the certificate needs to have
1.3.6.1.5.5.7.3.4 EKU set.
See this example in RH official documentations:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/creating-and-managing-certificate-profiles-in-identity-management_configuring-and-managing-idm
I have very similar setup working for years.
When I generate the CSR, I add subjectAltName with email address that matches
the address particular user has set in IPA. I sign the certificate in IPA using
profile that has mentioned EKU added. The resulting user certificate has CN set
to user’s IPA login and there’s also subjectAltName with email address. This is
enough for my S/MIME software to accept the certificate and properly validate
it (verify signatures etc.).
Best regards,
Radoslaw
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
