From vlk at lcpe.uni-sofia.bg Sun Apr 2 00:17:42 2017 From: vlk at lcpe.uni-sofia.bg (Vesselin Kolev) Date: Sat, 1 Apr 2017 17:17:42 -0700 Subject: [Pki-users] Uniqueness of Subject Name issue Message-ID: <8441d8df-7af8-a57b-dd08-878380ab1323@lcpe.uni-sofia.bg> Hello, I installed the last version of DogTag but I have a problem with the uniqueness of the Subject Name. By default I can issue more than one certificate with the same Subject Name. The problem becomes even worst when I use a profile based on directory authentication. So it looks that anyone with proper credentials can issue countless number of certificate with the same subject. Since is it a fresh installation and only the LDAP authenticator and publisher are configured I doubt it is an error related to any intervention to the certificate profiles. On the other side I can't fine in the documentation (even in the on of Red Hat Certificate Server) this discussed in any details. Do I do anything wrong or it is expected? Or if it is by default how could I make it possible to limit the users using the automatic enrolling to be able to have only one certificate? Thank you very much in advance for your answer. Best regards, Veselin Kolev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3711 bytes Desc: S/MIME Cryptographic Signature URL: From ftweedal at redhat.com Sun Apr 2 22:23:19 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 3 Apr 2017 08:23:19 +1000 Subject: [Pki-users] Uniqueness of Subject Name issue In-Reply-To: <8441d8df-7af8-a57b-dd08-878380ab1323@lcpe.uni-sofia.bg> References: <8441d8df-7af8-a57b-dd08-878380ab1323@lcpe.uni-sofia.bg> Message-ID: <20170402222318.GP10261@dhcp-40-8.bne.redhat.com> On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote: > Hello, > > I installed the last version of DogTag but I have a problem with the > uniqueness of the Subject Name. By default I can issue more than one > certificate with the same Subject Name. The problem becomes even worst > when I use a profile based on directory authentication. So it looks that > anyone with proper credentials can issue countless number of certificate > with the same subject. > > Since is it a fresh installation and only the LDAP authenticator and > publisher are configured I doubt it is an error related to any > intervention to the certificate profiles. On the other side I can't fine > in the documentation (even in the on of Red Hat Certificate Server) this > discussed in any details. > > Do I do anything wrong or it is expected? Or if it is by default how > could I make it possible to limit the users using the automatic > enrolling to be able to have only one certificate? > > Thank you very much in advance for your answer. > > Best regards, > > Veselin Kolev > Hi Veselin, In general, it does not make sense to limit a subject to one certificate. There are many reasons: - different certs for different purposes for same subject - certificates with different keys (or key types) for same subject - the need for an "overlap" between certs that are soon to expire, and the replacement If you really do need to limit number of certs issued per subject, you could write profile constraint components to enforce that. But they do not exist already, and we are unlikely to implement them. Thanks, Fraser From vlk at lcpe.uni-sofia.bg Sun Apr 2 22:35:25 2017 From: vlk at lcpe.uni-sofia.bg (Vesselin Kolev) Date: Sun, 2 Apr 2017 15:35:25 -0700 Subject: [Pki-users] Uniqueness of Subject Name issue In-Reply-To: <20170402222318.GP10261@dhcp-40-8.bne.redhat.com> References: <8441d8df-7af8-a57b-dd08-878380ab1323@lcpe.uni-sofia.bg> <20170402222318.GP10261@dhcp-40-8.bne.redhat.com> Message-ID: <0b232b6b-2315-8e86-b152-631cb9915991@lcpe.uni-sofia.bg> Thank you for the direct and clear answer, Fraser! I do understand the reason why it is possible to have more than one certificate with the same subjectName. But sometimes there are specific requirements for the client. I will implement a constraint and try to solve the problem it that way. Best regards, Veselin On 04/02/2017 03:23 PM, Fraser Tweedale wrote: > On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote: >> Hello, >> >> I installed the last version of DogTag but I have a problem with the >> uniqueness of the Subject Name. By default I can issue more than one >> certificate with the same Subject Name. The problem becomes even worst >> when I use a profile based on directory authentication. So it looks that >> anyone with proper credentials can issue countless number of certificate >> with the same subject. >> >> Since is it a fresh installation and only the LDAP authenticator and >> publisher are configured I doubt it is an error related to any >> intervention to the certificate profiles. On the other side I can't fine >> in the documentation (even in the on of Red Hat Certificate Server) this >> discussed in any details. >> >> Do I do anything wrong or it is expected? Or if it is by default how >> could I make it possible to limit the users using the automatic >> enrolling to be able to have only one certificate? >> >> Thank you very much in advance for your answer. >> >> Best regards, >> >> Veselin Kolev >> > Hi Veselin, > > In general, it does not make sense to limit a subject to one > certificate. There are many reasons: > > - different certs for different purposes for same subject > > - certificates with different keys (or key types) for same subject > > - the need for an "overlap" between certs that are soon to expire, > and the replacement > > If you really do need to limit number of certs issued per subject, > you could write profile constraint components to enforce that. But > they do not exist already, and we are unlikely to implement them. > > Thanks, > Fraser From ftweedal at redhat.com Sun Apr 2 23:37:05 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 3 Apr 2017 09:37:05 +1000 Subject: [Pki-users] Uniqueness of Subject Name issue In-Reply-To: <0b232b6b-2315-8e86-b152-631cb9915991@lcpe.uni-sofia.bg> References: <8441d8df-7af8-a57b-dd08-878380ab1323@lcpe.uni-sofia.bg> <20170402222318.GP10261@dhcp-40-8.bne.redhat.com> <0b232b6b-2315-8e86-b152-631cb9915991@lcpe.uni-sofia.bg> Message-ID: <20170402233705.GQ10261@dhcp-40-8.bne.redhat.com> On Sun, Apr 02, 2017 at 03:35:25PM -0700, Vesselin Kolev wrote: > Thank you for the direct and clear answer, Fraser! > > I do understand the reason why it is possible to have more than one > certificate with the same subjectName. But sometimes there are specific > requirements for the client. I will implement a constraint and try to > solve the problem it that way. > Good luck. Reach out if you have specific questions. > Best regards, > > Veselin > > > On 04/02/2017 03:23 PM, Fraser Tweedale wrote: > > On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote: > >> Hello, > >> > >> I installed the last version of DogTag but I have a problem with the > >> uniqueness of the Subject Name. By default I can issue more than one > >> certificate with the same Subject Name. The problem becomes even worst > >> when I use a profile based on directory authentication. So it looks that > >> anyone with proper credentials can issue countless number of certificate > >> with the same subject. > >> > >> Since is it a fresh installation and only the LDAP authenticator and > >> publisher are configured I doubt it is an error related to any > >> intervention to the certificate profiles. On the other side I can't fine > >> in the documentation (even in the on of Red Hat Certificate Server) this > >> discussed in any details. > >> > >> Do I do anything wrong or it is expected? Or if it is by default how > >> could I make it possible to limit the users using the automatic > >> enrolling to be able to have only one certificate? > >> > >> Thank you very much in advance for your answer. > >> > >> Best regards, > >> > >> Veselin Kolev > >> > > Hi Veselin, > > > > In general, it does not make sense to limit a subject to one > > certificate. There are many reasons: > > > > - different certs for different purposes for same subject > > > > - certificates with different keys (or key types) for same subject > > > > - the need for an "overlap" between certs that are soon to expire, > > and the replacement > > > > If you really do need to limit number of certs issued per subject, > > you could write profile constraint components to enforce that. But > > they do not exist already, and we are unlikely to implement them. > > > > Thanks, > > Fraser >