[Pki-users] Uniqueness of Subject Name issue
Fraser Tweedale
ftweedal at redhat.com
Sun Apr 2 22:23:19 UTC 2017
On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote:
> Hello,
>
> I installed the last version of DogTag but I have a problem with the
> uniqueness of the Subject Name. By default I can issue more than one
> certificate with the same Subject Name. The problem becomes even worst
> when I use a profile based on directory authentication. So it looks that
> anyone with proper credentials can issue countless number of certificate
> with the same subject.
>
> Since is it a fresh installation and only the LDAP authenticator and
> publisher are configured I doubt it is an error related to any
> intervention to the certificate profiles. On the other side I can't fine
> in the documentation (even in the on of Red Hat Certificate Server) this
> discussed in any details.
>
> Do I do anything wrong or it is expected? Or if it is by default how
> could I make it possible to limit the users using the automatic
> enrolling to be able to have only one certificate?
>
> Thank you very much in advance for your answer.
>
> Best regards,
>
> Veselin Kolev
>
Hi Veselin,
In general, it does not make sense to limit a subject to one
certificate. There are many reasons:
- different certs for different purposes for same subject
- certificates with different keys (or key types) for same subject
- the need for an "overlap" between certs that are soon to expire,
and the replacement
If you really do need to limit number of certs issued per subject,
you could write profile constraint components to enforce that. But
they do not exist already, and we are unlikely to implement them.
Thanks,
Fraser
More information about the Pki-users
mailing list