[Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation
Fraser Tweedale
ftweedal at redhat.com
Mon Aug 15 13:54:33 UTC 2016
On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote:
> On 15.8.2016 15:16, Fraser Tweedale wrote:
> > On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote:
> >> On 2.8.2016 05:57, Fraser Tweedale wrote:
> >>>>> Hah! This is what I get for thinking I know what the output has to look
> >>>>> like, and not testing all the way through to requesting the cert. I'll
> >>>>> change the profile to generate a subject with CN= instead of UID=. Updated
> >>>>> patch is attached. Unfortunately these rules are only updated at
> >>>>> ipa-server-install time, so if you'd like to fix it without reinstalling:
> >>>>>
> >>> (Tangential commentary...) Yeah, currently cert-request demands the
> >>> CN. There is a design to relax the requirement to handle empty
> >>> subject names (look at SAN only). IMO it would make sense to accept
> >>> other "obvious" mappings in Subject DN like accepting UID instead of
> >>> CN for user subjects, but that would be a separate RFE. Noone has
> >>> actually asked for it yet :)
> >>
> >> Side-note:
> >> I thought that subject format is enforced by certificate profile on server.
> >> Am I wrong?
> >>
> > You are right - what I suggested above would (today) require a
> > custom profile.
>
> Sooo...
> can we just relax existing profiles not to require CN= but accept SAN-only CSRs?
>
> :-)
>
That is absolutely going to happen as part of
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance :)
More information about the Freeipa-devel
mailing list