[Freeipa-devel] [PATCH] 351 configurable certificate subjects
Rob Crittenden
rcritten at redhat.com
Wed Jan 20 16:31:29 UTC 2010
Let the user, upon installation, set the certificate subject base for
the dogtag CA. Certificate requests will automatically be given this
subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't conform
to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does NOT
dynamically update the configuration, for dogtag at least. The file
/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be
updated and pki-cad restarted.
For example:
# ipa-server-install --ca --subject="O=Example"
If the installed CA is dogtag then the following will happen:
1. request for CN=test.example.com will issue CN=test.example.com, O=Example
2. request for CN=test.example.com, O=Test will issue
CN=test.example.com, O=Example
3. request for CN=test.example.com, O=Example will issue
CN=test.example.com, O=Example
If the installed CA is selfsign then the following will happen:
1. request for CN=test.example.com will be rejected
2. request for CN=test.example.com, O=Test will be rejected
3. request for CN=test.example.com, O=Example will issue
CN=test.example.com, O=Example
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-351-subject.patch
Type: application/mbox
Size: 35534 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20100120/db85bcc2/attachment.mbox>
More information about the Freeipa-devel
mailing list