[Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install

Sat Jul 9 09:38:01 UTC 2016

Hi *,

from the discussion so far, I realize that I've made the false
assumption that the actual requirements and business cases related to
the pre exisiting RFE #828866 are well understood.

To clarify the requirements, here is the core of a new RFE document that
is on its way via the current customer case:

3. What is the nature and description of the request?

Currently, the subject for a IPA generated CA cert is built of two
components, a subject base DN (subject_base) and a static common name:
'CN=Certificate Authority'. While the subject_base is customizable via a
command line option to ipa-server-install, the common name is hard coded
into the installer.

It is required to have the common name component of the subject DN
customizable. In addition, it is required to allow an additional and
optional emailAddress component prepended to the subject DN as most
significant component.

4. Why does the customer need this? (List the business requirements here)

The customer needs to integrate IPA into an existing chain of trust. The
IPA generated CA certificate needs to be signed by an superordinate PKI.
To allow the IPA CA CSR to be signed by the superordinate PKI, it needs
to meet certain criteria, including a particular customer specific
common name and an additional emailAddress to clearly identify the
subordinate CA.

The current hard coded common name does not meet the requirements and
therefor makes the integration of IPA into the existing PKI impossible.
This in turn leaves the Linux/Unix IT operations dependent from the
superordinate PKI even in cases, where creation of service certs could
perfectly be delegated to this Linux/Unix IT Ops in accordance to
existing compliance rules and operational processes.

5. How would the customer like to achieve this? (List the functional
requirements here)

The customer would like to get options to customize the common name and
add an email address to the CA cert subject upon creation with
ipa-server-install --external-ca.

6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.

The new feature (option) must result in a CA cert CSR with subject line like

/usr/lib64/nss/unsupported-tools/pp -t cr -a -i /root/ipa.csr|grep Subject:
  Subject: E=caadmin at example.com,CN=Custom CA Name,OU=Example
IT,O=Example Corp,L=City,ST=State,C=US

or

openssl req -text -noout -in /root/ipa.csr |grep Subject:
  Subject: C=US,ST=State,L=City,O=Example Corp,OU=Example IT,CN=Custom
CA Name/emailAddress=caadmin at example.com

This IPA CA CSR must be signable by an Active Directory PKI and that
signed certificate must be usable to proceed with the IPA server
installation.  In particular, IPA must be able to provide and accept the
canonical order of subject attributes with emailAddress as most
significant attribute, like shown in the example above.

7. Is there already an existing RFE upstream or in Red Hat bugzilla?

#828866 [RFE] enhance --subject option for ipa-server-install

8. Does the customer have any specific timeline dependencies?

Within the next three months.

On 07/07/2016 06:58 AM, Sebastian Hetze wrote:
> Hi *
>
> attached you find a patch that adds new options --subject_cn and
> --subject_mail to ipa-server-install that make the CA cert subject CN
> customizable.
>
> This patch has been tested by a customer in a PoC.
> However, i assume additional testing in different environments is required.
>
> It would be greatly appreciated if this patch would find its way into
> the product very soon.
>
> Beste Grüße / Best regards
>   Sebastian Hetze

Beste Grüße / Best regards
  Sebastian Hetze
-- 
Senior Solution Architect
Red Hat GmbH. Niederlassung Berlin
Am Treptower Park 75 12435 Berlin
Tel: +49 30 678 1798-241 . Mobil: +49 173 8914205
Fax: +49 30 678 1798-111 . E-Mail: she at redhat.com