[Freeipa-devel] FreeIPA Sub-CA: certificate subject

Tue Jun 28 10:49:55 UTC 2016

On 28.6.2016 12:33, Martin Kosek wrote:
> On 06/28/2016 12:23 PM, Fraser Tweedale wrote:
>> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote:
>>> Hi Fraser,
>>>
>>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA:
>>>
>>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG
>>>
>>> Then I set up ACL and generated a certificate request by:
>>>
>>> $ certutil -R -d . -a -g 2048 -s
>>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org'
>>>
>>> The resulting certificate is attached. What I pondering about is
>>>
>>>         Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority
>>>         ...
>>>         Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org
>>>
>>> Shouldn't the subject have O=VPN in it also?
>>>
>> Hi Martin,
>>
>> (Cc freeipa-devel@ ; this info may be of general interest)
>>
>> The subject is determined by the certificate profile.  In the case
>> of caIPAserviceCert, the pattern is:
>>
>>     CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
>>
>> The CN comes from the CSR, and the Organisation is the IPA
>> certificate subject base (as a literal string in the profile
>> configuration).
>>
>> There are no substitution variables available to say "use such and
>> such from the issuer DN".  If the default pattern is not suitable,
>> you can define a profile with the subject DN pattern having exactly
>> the O=... parts of DN you want (and/or other attributes), then
>> associate the profile with the CA through CA ACLs.  (This approach
>> is not elegant and does not scale well to many CAs).
>>
>> Hope that my explanation is helpful.
>
> The explanation is helpful, I just do not I like the answer :-) What do you
> think would make most sense for Sub-CA users?
>
> I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would
> fill the non-CN part of issuer DN, i.e. in this case:
>
> O=DEMO1.FREEIPA.ORG, O=VPN
>
> which would make this profile flexible and usable in any Sub-CA.

>
> Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and
> respective Dogtag release? I am just afraid that given we release this feature
> in 4.4, people would have to very creative and duplicate lot of certificate
> profiles for different sub-CAs just to workaround the Subject patter
> limitation, as you mentioned.

What is the use case? The certificate is equally good with both the 
current and your suggested issuer name. There is no relation between 
issuer name and subject name in general, and AFAIK the current 
recommendation is to omit subject name for end-entity certificate 
entirely and instead rely on SAN, so why should we bother?

Honza

-- 
Jan Cholasta