On Tue, Jul 06, 2021 at 01:29:48PM -0400, Rob Crittenden via FreeIPA-users wrote: > Ian Pilcher via FreeIPA-users wrote: > > I've hit a roadblock while trying to generate a certificate for > > a VMware vSphere appliance. > > > > The VMware "Certificate Management" tool doesn't allow one to > > upload a certificate and key. Instead, one has to generate a > > CSR in the VMware GUI which then gets submitted to the CA (IPA > > in this case). > > > > Unfortunately, the VMware tool refuses to generate a CSR that > > does not include an email address in its subject alternative > > names extension, and IPA refuses to issue a host or service > > certificate that includes an email address. > > > > Is it possible to create a certificate profile that will simply > > ignore the email address (i.e. not include it in the SAN of the > > issued certificate)? > > > > IPA doesn't allow a CSR that has a RFC822Name SAN for a non-user. > This validation happens before the CSR is submitted to the CA. > > You'd have to modify code to drop this requirement. > And you'd have to modify code in both FreeIPA and Dogtag. And those modifications could lead to dangerous situations. For example, a "mismatch" where email address gets ignored by FreeIPA, but included in the certificate by Dogtag. IMO such possibilities must be avoided. FreeIPA MUST validate all SANs, because in general FreeIPA doesn't know which values Dogtag will propagate to the certificate. (In the common case, we know that the whole SAN extension will be included as-is).
To implement such a feature securely requires a major rewrite of how certificate profiles work in Dogtag. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
