[Freeipa-devel] [PATCH] 351 configurable certificate subjects
Rob Crittenden
rcritten at redhat.com
Wed Jan 20 22:44:36 UTC 2010
John Dennis wrote:
> On 01/20/2010 11:31 AM, Rob Crittenden wrote:
>> Let the user, upon installation, set the certificate subject base for
>> the dogtag CA. Certificate requests will automatically be given this
>> subject base, regardless of what is in the CSR.
>>
>> The selfsign plugin does not currently support this dynamic name
>> re-assignment and will reject any incoming requests that don't conform
>> to the subject base.
>>
>> The certificate subject base is stored in cn=ipaconfig but it does NOT
>> dynamically update the configuration, for dogtag at least. The file
>> /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be
>> updated and pki-cad restarted.
>>
>> For example:
>> # ipa-server-install --ca --subject="O=Example"
>>
>> If the installed CA is dogtag then the following will happen:
>>
>> 1. request for CN=test.example.com will issue CN=test.example.com,
>> O=Example
>> 2. request for CN=test.example.com, O=Test will issue
>> CN=test.example.com, O=Example
>> 3. request for CN=test.example.com, O=Example will issue
>> CN=test.example.com, O=Example
>>
>> If the installed CA is selfsign then the following will happen:
>>
>> 1. request for CN=test.example.com will be rejected
>> 2. request for CN=test.example.com, O=Test will be rejected
>> 3. request for CN=test.example.com, O=Example will issue
>> CN=test.example.com, O=Example
>>
>> rob
>
> ACK
>
pushed to master
More information about the Freeipa-devel
mailing list