[Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

Tue Aug 16 07:41:14 UTC 2016

On 16.8.2016 02:07, Fraser Tweedale wrote:
> On Mon, Aug 15, 2016 at 03:58:40PM +0200, Petr Spacek wrote:
>> On 15.8.2016 15:54, Fraser Tweedale wrote:
>>> On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote:
>>>> On 15.8.2016 15:16, Fraser Tweedale wrote:
>>>>> On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote:
>>>>>> On 2.8.2016 05:57, Fraser Tweedale wrote:
>>>>>>>>> Hah! This is what I get for thinking I know what the output has to look
>>>>>>>>> like, and not testing all the way through to requesting the cert. I'll
>>>>>>>>> change the profile to generate a subject with CN= instead of UID=. Updated
>>>>>>>>> patch is attached. Unfortunately these rules are only updated at
>>>>>>>>> ipa-server-install time, so if you'd like to fix it without reinstalling:
>>>>>>>>>
>>>>>>> (Tangential commentary...) Yeah, currently cert-request demands the
>>>>>>> CN.  There is a design to relax the requirement to handle empty
>>>>>>> subject names (look at SAN only).  IMO it would make sense to accept
>>>>>>> other "obvious" mappings in Subject DN like accepting UID instead of
>>>>>>> CN for user subjects, but that would be a separate RFE.  Noone has
>>>>>>> actually asked for it yet :)
>>>>>>
>>>>>> Side-note:
>>>>>> I thought that subject format is enforced by certificate profile on server.
>>>>>> Am I wrong?
>>>>>>
>>>>> You are right - what I suggested above would (today) require a
>>>>> custom profile.
>>>>
>>>> Sooo...
>>>> can we just relax existing profiles not to require CN= but accept SAN-only CSRs?
>>>>
>>>> :-)
>>>>
>>> That is absolutely going to happen as part of
>>> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance :)
>>
>> Good!
>>
>> Is it still targeting 4.4.x?
>>
> It's not going to make it.

Ok, I've removed version=4.4.0 tag from
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance

-- 
Petr^2 Spacek