On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote: > On 15.8.2016 15:16, Fraser Tweedale wrote: > > On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote: > >> On 2.8.2016 05:57, Fraser Tweedale wrote: > >>>>> Hah! This is what I get for thinking I know what the output has to look > >>>>> like, and not testing all the way through to requesting the cert. I'll > >>>>> change the profile to generate a subject with CN= instead of UID=. > >>>>> Updated > >>>>> patch is attached. Unfortunately these rules are only updated at > >>>>> ipa-server-install time, so if you'd like to fix it without > >>>>> reinstalling: > >>>>> > >>> (Tangential commentary...) Yeah, currently cert-request demands the > >>> CN. There is a design to relax the requirement to handle empty > >>> subject names (look at SAN only). IMO it would make sense to accept > >>> other "obvious" mappings in Subject DN like accepting UID instead of > >>> CN for user subjects, but that would be a separate RFE. Noone has > >>> actually asked for it yet :) > >> > >> Side-note: > >> I thought that subject format is enforced by certificate profile on server. > >> Am I wrong? > >> > > You are right - what I suggested above would (today) require a > > custom profile. > > Sooo... > can we just relax existing profiles not to require CN= but accept SAN-only > CSRs? > > :-) > That is absolutely going to happen as part of http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance :)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
