[Pki-users] Uniqueness of Subject Name issue

Fraser Tweedale ftweedal at redhat.com
Sun Apr 2 23:37:05 UTC 2017 

On Sun, Apr 02, 2017 at 03:35:25PM -0700, Vesselin Kolev wrote:
> Thank you for the direct and clear answer, Fraser!
> 
> I do understand the reason why it is possible to have more than one
> certificate with the same subjectName. But sometimes there are specific
> requirements for the client. I will implement a constraint and try to
> solve the problem it that way.
> 
Good luck.  Reach out if you have specific questions.

> Best regards,
> 
> Veselin
> 
> 
> On 04/02/2017 03:23 PM, Fraser Tweedale wrote:
> > On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote:
> >> Hello,
> >>
> >> I installed the last version of DogTag but I have a problem with the
> >> uniqueness of the Subject Name. By default I can issue more than one
> >> certificate with the same Subject Name. The problem becomes even worst
> >> when I use a profile based on directory authentication. So it looks that
> >> anyone with proper credentials can issue countless number of certificate
> >> with the same subject.
> >>
> >> Since is it a fresh installation and only the LDAP authenticator and
> >> publisher are configured I doubt it is an error related to any
> >> intervention to the certificate profiles. On the other side I can't fine
> >> in the documentation (even in the on of Red Hat Certificate Server) this
> >> discussed in any details.
> >>
> >> Do I do anything wrong or it is expected? Or if it is by default how
> >> could I make it possible to limit the users using the automatic
> >> enrolling to be able to have only one certificate?
> >>
> >> Thank you very much in advance for your answer.
> >>
> >> Best regards,
> >>
> >> Veselin Kolev
> >>
> > Hi Veselin,
> >
> > In general, it does not make sense to limit a subject to one
> > certificate.  There are many reasons:
> >
> > - different certs for different purposes for same subject
> >
> > - certificates with different keys (or key types) for same subject
> >
> > - the need for an "overlap" between certs that are soon to expire,
> >   and the replacement
> >
> > If you really do need to limit number of certs issued per subject,
> > you could write profile constraint components to enforce that.  But
> > they do not exist already, and we are unlikely to implement them.
> >
> > Thanks,
> > Fraser
>

More information about the Pki-users mailing list