On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users wrote: > Hi. > > On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote: > > Radosław Kujawa via FreeIPA-users wrote: > > > Hi list. > > > > > > Is it possible to add email subjectAltName to a certificate when it is > > > being signed by the IPA? > > > > > > > How would the profile know what e-mail to add? > > > > These certificates are treated by IPA as "user certificates". The CN is set > to IPA user's login. > > By some magic, IPA knows that such certificate should be added to LDAP > object representing particular user. > > I hoped it would be possible to instruct it, to fetch the email attribute > from LDAP object when signing the cert (based on the CN) and put it into > subjectAltName. > > Best regards, > Radoslaw
A modern enterprise PKI should be able to do it. But FreeIPA cannot. It's fundamentally possible but a lot of work to achieve it. I blogged about it several years ago: https://frasertweedale.github.io/blog-redhat/posts/2015-11-04-freeipa-pki-future.html For now, you must get the rfc822Name into the CSR's SAN extension, somehow. What tool are you using to generate those CSRs? Perhaps we can help find a way to do it. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
