Thank you for the direct and clear answer, Fraser! I do understand the reason why it is possible to have more than one certificate with the same subjectName. But sometimes there are specific requirements for the client. I will implement a constraint and try to solve the problem it that way.
Best regards, Veselin On 04/02/2017 03:23 PM, Fraser Tweedale wrote: > On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote: >> Hello, >> >> I installed the last version of DogTag but I have a problem with the >> uniqueness of the Subject Name. By default I can issue more than one >> certificate with the same Subject Name. The problem becomes even worst >> when I use a profile based on directory authentication. So it looks that >> anyone with proper credentials can issue countless number of certificate >> with the same subject. >> >> Since is it a fresh installation and only the LDAP authenticator and >> publisher are configured I doubt it is an error related to any >> intervention to the certificate profiles. On the other side I can't fine >> in the documentation (even in the on of Red Hat Certificate Server) this >> discussed in any details. >> >> Do I do anything wrong or it is expected? Or if it is by default how >> could I make it possible to limit the users using the automatic >> enrolling to be able to have only one certificate? >> >> Thank you very much in advance for your answer. >> >> Best regards, >> >> Veselin Kolev >> > Hi Veselin, > > In general, it does not make sense to limit a subject to one > certificate. There are many reasons: > > - different certs for different purposes for same subject > > - certificates with different keys (or key types) for same subject > > - the need for an "overlap" between certs that are soon to expire, > and the replacement > > If you really do need to limit number of certs issued per subject, > you could write profile constraint components to enforce that. But > they do not exist already, and we are unlikely to implement them. > > Thanks, > Fraser _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
