[Pki-users] Rewrite of Subject in profile
Fraser Tweedale
ftweedal at redhat.com
Mon Apr 4 00:53:26 UTC 2016
On Thu, Feb 25, 2016 at 08:25:54AM +0000, Supper Florian OSS sIT wrote:
> Hi and good morning.
>
> I get some request from mobile devices which are very poor.
>
> Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
>
> With this subject name, it is not possible to enroll a certificate, because of the " \x00" at the end..
>
> So i'm compelled to rewrite the Subject name. In the first way I only want to remove the "\x00" characters from CN.
> I've tried some pattern and configs, but it doesn't work.
> Does one of you knows how this could work?
>
Florian,
The null byte at end of CN makes it an invalid CSR. I think it is
unlikely that a configuration change can redeem this request, but if
you provide an example CSR I will see where the request fails and
determine what, if anything, can be done right now.
For dealing with this in future it might be possible to add a
configurable to scrub null bytes from request DN values.
> policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
> policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
> policyset.cmcUserCertSet.1.constraint.params.accept=true
> policyset.cmcUserCertSet.1.constraint.params.pattern=.*
> policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
> policyset.cmcUserCertSet.1.default.name=Subject Name Default
> policyset.cmcUserCertSet.1.default.params.name=.*CN=...................................
>
> In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr.
> Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com
>
The config you want here is:
policyset.cmcUserCertSet.1.default.params.name=C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=$request.req_subject_name$, E=pki-AT-example.com
Cheers,
Fraser
More information about the Pki-users
mailing list