[Freeipa-users] CA Certificate Profile
wouter.hummelink at kpn.com
wouter.hummelink at kpn.com
Wed Nov 25 12:42:28 UTC 2015
Hello,
For one of my customer projects I need server certificates that have an OU component in de the subject. I tried making a certificate profile that is identical to the default caIPAServiceCert except for the first section. I changed the constraint to include OU and the default to include an OU, however that doesn't appear to be a valid field.
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,OU=[^,],.+
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,OU=$request.req_subject_name.ou$,O=LINUX.TEST.INFRA.LOCAL
I can see the CSR that comes into pki include the OU field when requested like following.
ipa-getcert request -I test -k /etc/pki/tls/certs/server.key -f /etc/pki/tls/certs/server.cert -N "CN=$(hostname -f),OU=Test,O=LINUX.TEST.INFRA.LOCAL" -K host/$(hostname -f) -w -T KPNWebhostingServiceCert
The debug log however doesn't show a key like request.req_subject_name.ou, and results in a nasty error on the certmonger side:
Request ID 'test':
status: CA_UNREACHABLE
ca-error: Server at https://ipaserver.ipa.local/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: unknown(3) (Request Rejected - {0})).
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/certs/server.key'
certificate: type=FILE,location='/etc/pki/tls/certs/server.cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Met vriendelijke groet,
Wouter Hummelink
Cloud Engineer
[Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140]
KPN IT Solutions
Platform Organisation Cloud Services
Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
Telefoon: +31 (0)6 1288 2447
[cid:image002.png at 01D0DA65.706AE4B0]
P Save Paper - Do you really need to print this e-mail?
*********************************************************************************************************************************************************
KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam
The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately
and delete the material. Thank you.
*********************************************************************************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151125/0e48a44a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2045 bytes
Desc: image001.gif
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151125/0e48a44a/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 49569 bytes
Desc: image002.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151125/0e48a44a/attachment.png>
More information about the Freeipa-users
mailing list