On Wed, Nov 25, 2015 at 12:42:28PM +0000, wouter.hummel...@kpn.com wrote:
> Hello,
> 
> For one of my customer projects I need server certificates that have an OU 
> component in de the subject. I tried making a certificate profile that is 
> identical to the default caIPAServiceCert except for the first section. I 
> changed the constraint to include OU and the default to include an OU, 
> however that doesn't appear to be a valid field.
> 
> policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
> policyset.serverCertSet.1.constraint.name=Subject Name Constraint
> policyset.serverCertSet.1.constraint.params.accept=true
> policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,OU=[^,],.+
> policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
> policyset.serverCertSet.1.default.name=Subject Name Default
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,OU=$request.req_subject_name.ou$,O=LINUX.TEST.INFRA.LOCAL
> 
> I can see the CSR that comes into pki include the OU field when requested 
> like following.
> 
> ipa-getcert request -I test -k /etc/pki/tls/certs/server.key -f 
> /etc/pki/tls/certs/server.cert -N "CN=$(hostname 
> -f),OU=Test,O=LINUX.TEST.INFRA.LOCAL" -K host/$(hostname -f) -w -T 
> KPNWebhostingServiceCert
> 
> The debug log however doesn't show a key like request.req_subject_name.ou, 
> and results in a nasty error on the certmonger side:
> Request ID 'test':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipaserver.ipa.local/ipa/xml failed 
> request, will retry: 4301 (RPC failed at server.  Certificate operation 
> cannot be completed: unknown(3) (Request Rejected - {0})).
>         stuck: no
>         key pair storage: type=FILE,location='/etc/pki/tls/certs/server.key'
>         certificate: type=FILE,location='/etc/pki/tls/certs/server.cert'
>         CA: IPA
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> 
Hi, thanks for your detailed report.

Dogtag currently only supports $request.req_subject_name.{cn,uid}$.
The error occurs because Dogtag does not populate the
$request.req_subject_name.ou$ substitution variable thus the
formatting of the subject name fails.

If the OU is to be the same for all certificates, or if there are
only a handful of values, you can make different profiles with
constant OUs.

If that is not adequate, we can file an RFE to add support for other
DN components including OU.

(Also, note that FreeIPA currently does not perform any validation
of the OU in the CSR against the target principal's entry).

Cheers,
Fraser

> Met vriendelijke groet,
> 
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png@01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> *********************************************************************************************************************************************************
> KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, 
> Handelsregister 52959597 Amsterdam
> The information transmitted is intended only for use by the addressee and may 
> contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the taking 
> of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you 
> received this in error, please inform the sender and/or addressee immediately
> and delete the material. Thank you.
> *********************************************************************************************************************************************************
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to