[Pki-users] Rewrite of Subject in profile

[Fraser Tweedale]

On Thu, Feb 25, 2016 at 08:25:54AM +0000, Supper Florian OSS sIT wrote:
> Hi and good morning.
> 
> I get some request from mobile devices which are very poor.
> 
> Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
> 
> With this subject name, it is not possible to enroll a certificate, because of the " \x00" at the end..
> 
> So i'm  compelled to rewrite the Subject name. In the first way I only want to remove the "\x00" characters from CN.
> I've tried some pattern and configs, but it doesn't work.
> Does one of you knows how this could work?
> 
Florian,

The null byte at end of CN makes it an invalid CSR.  I think it is
unlikely that a configuration change can redeem this request, but if
you provide an example CSR I will see where the request fails and
determine what, if anything, can be done right now.

For dealing with this in future it might be possible to add a
configurable to scrub null bytes from request DN values.

> policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
> policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
> policyset.cmcUserCertSet.1.constraint.params.accept=true
> policyset.cmcUserCertSet.1.constraint.params.pattern=.*
> policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
> policyset.cmcUserCertSet.1.default.name=Subject Name Default
> policyset.cmcUserCertSet.1.default.params.name=.*CN=...................................
> 
> In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr.
> Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com
> 
The config you want here is:

    policyset.cmcUserCertSet.1.default.params.name=C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=$request.req_subject_name$, E=pki-AT-example.com

Cheers,
Fraser