[Freeipa-users] CA Certificate Profile

Fraser Tweedale ftweedal at redhat.com
Thu Nov 26 04:03:10 UTC 2015 

On Wed, Nov 25, 2015 at 12:42:28PM +0000, wouter.hummelink at kpn.com wrote:
> Hello,
> 
> For one of my customer projects I need server certificates that have an OU component in de the subject. I tried making a certificate profile that is identical to the default caIPAServiceCert except for the first section. I changed the constraint to include OU and the default to include an OU, however that doesn't appear to be a valid field.
> 
> policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
> policyset.serverCertSet.1.constraint.name=Subject Name Constraint
> policyset.serverCertSet.1.constraint.params.accept=true
> policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,OU=[^,],.+
> policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
> policyset.serverCertSet.1.default.name=Subject Name Default
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,OU=$request.req_subject_name.ou$,O=LINUX.TEST.INFRA.LOCAL
> 
> I can see the CSR that comes into pki include the OU field when requested like following.
> 
> ipa-getcert request -I test -k /etc/pki/tls/certs/server.key -f /etc/pki/tls/certs/server.cert -N "CN=$(hostname -f),OU=Test,O=LINUX.TEST.INFRA.LOCAL" -K host/$(hostname -f) -w -T KPNWebhostingServiceCert
> 
> The debug log however doesn't show a key like request.req_subject_name.ou, and results in a nasty error on the certmonger side:
> Request ID 'test':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipaserver.ipa.local/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: unknown(3) (Request Rejected - {0})).
>         stuck: no
>         key pair storage: type=FILE,location='/etc/pki/tls/certs/server.key'
>         certificate: type=FILE,location='/etc/pki/tls/certs/server.cert'
>         CA: IPA
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> 
Hi, thanks for your detailed report.

Dogtag currently only supports $request.req_subject_name.{cn,uid}$.
The error occurs because Dogtag does not populate the
$request.req_subject_name.ou$ substitution variable thus the
formatting of the subject name fails.

If the OU is to be the same for all certificates, or if there are
only a handful of values, you can make different profiles with
constant OUs.

If that is not adequate, we can file an RFE to add support for other
DN components including OU.

(Also, note that FreeIPA currently does not perform any validation
of the OU in the CSR against the target principal's entry).

Cheers,
Fraser

> Met vriendelijke groet,
> 
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png at 01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> *********************************************************************************************************************************************************
> KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam
> The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately
> and delete the material. Thank you.
> *********************************************************************************************************************************************************
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list