[Freeipa-devel] [PATCH] 351 configurable certificate subjects
John Dennis
jdennis at redhat.com
Wed Jan 20 18:21:10 UTC 2010
On 01/20/2010 11:31 AM, Rob Crittenden wrote:
> Let the user, upon installation, set the certificate subject base for
> the dogtag CA. Certificate requests will automatically be given this
> subject base, regardless of what is in the CSR.
>
> The selfsign plugin does not currently support this dynamic name
> re-assignment and will reject any incoming requests that don't conform
> to the subject base.
>
> The certificate subject base is stored in cn=ipaconfig but it does NOT
> dynamically update the configuration, for dogtag at least. The file
> /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be
> updated and pki-cad restarted.
>
> For example:
> # ipa-server-install --ca --subject="O=Example"
>
> If the installed CA is dogtag then the following will happen:
>
> 1. request for CN=test.example.com will issue CN=test.example.com,
> O=Example
> 2. request for CN=test.example.com, O=Test will issue
> CN=test.example.com, O=Example
> 3. request for CN=test.example.com, O=Example will issue
> CN=test.example.com, O=Example
>
> If the installed CA is selfsign then the following will happen:
>
> 1. request for CN=test.example.com will be rejected
> 2. request for CN=test.example.com, O=Test will be rejected
> 3. request for CN=test.example.com, O=Example will issue
> CN=test.example.com, O=Example
>
> rob
ACK
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list