On Sun, Apr 02, 2017 at 03:35:25PM -0700, Vesselin Kolev wrote: > Thank you for the direct and clear answer, Fraser! > > I do understand the reason why it is possible to have more than one > certificate with the same subjectName. But sometimes there are specific > requirements for the client. I will implement a constraint and try to > solve the problem it that way. > Good luck. Reach out if you have specific questions.
> Best regards, > > Veselin > > > On 04/02/2017 03:23 PM, Fraser Tweedale wrote: > > On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote: > >> Hello, > >> > >> I installed the last version of DogTag but I have a problem with the > >> uniqueness of the Subject Name. By default I can issue more than one > >> certificate with the same Subject Name. The problem becomes even worst > >> when I use a profile based on directory authentication. So it looks that > >> anyone with proper credentials can issue countless number of certificate > >> with the same subject. > >> > >> Since is it a fresh installation and only the LDAP authenticator and > >> publisher are configured I doubt it is an error related to any > >> intervention to the certificate profiles. On the other side I can't fine > >> in the documentation (even in the on of Red Hat Certificate Server) this > >> discussed in any details. > >> > >> Do I do anything wrong or it is expected? Or if it is by default how > >> could I make it possible to limit the users using the automatic > >> enrolling to be able to have only one certificate? > >> > >> Thank you very much in advance for your answer. > >> > >> Best regards, > >> > >> Veselin Kolev > >> > > Hi Veselin, > > > > In general, it does not make sense to limit a subject to one > > certificate. There are many reasons: > > > > - different certs for different purposes for same subject > > > > - certificates with different keys (or key types) for same subject > > > > - the need for an "overlap" between certs that are soon to expire, > > and the replacement > > > > If you really do need to limit number of certs issued per subject, > > you could write profile constraint components to enforce that. But > > they do not exist already, and we are unlikely to implement them. > > > > Thanks, > > Fraser > _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
