[Freeipa-devel] FreeIPA Sub-CA: certificate subject
Fraser Tweedale
ftweedal at redhat.com
Tue Jun 28 10:23:35 UTC 2016
On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote:
> Hi Fraser,
>
> I was testing FreeIPA Sub-CA feature and setup a Sub-CA:
>
> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG
>
> Then I set up ACL and generated a certificate request by:
>
> $ certutil -R -d . -a -g 2048 -s
> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org'
>
> The resulting certificate is attached. What I pondering about is
>
> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority
> ...
> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org
>
> Shouldn't the subject have O=VPN in it also?
>
Hi Martin,
(Cc freeipa-devel@ ; this info may be of general interest)
The subject is determined by the certificate profile. In the case
of caIPAserviceCert, the pattern is:
CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
The CN comes from the CSR, and the Organisation is the IPA
certificate subject base (as a literal string in the profile
configuration).
There are no substitution variables available to say "use such and
such from the issuer DN". If the default pattern is not suitable,
you can define a profile with the subject DN pattern having exactly
the O=... parts of DN you want (and/or other attributes), then
associate the profile with the CA through CA ACLs. (This approach
is not elegant and does not scale well to many CAs).
Hope that my explanation is helpful.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list