Well, I want to add SAN::UPN (as LDAP's krbPrincipalName), SAN::DN (as in LDAP, `fqdn=...,cn=computers,...) and SAN::UUID (as in LDAP's ipaUniqueID) to issue many short-living certs for workstations that don't get written to userCertificates.
Currently I found that UPN value is provided from host in CSR, and DN and ipaUniqueID are not provided at all. Are those values MUST be provided in CSR generated on host side, or FreeIPA or DogTag can fill them by themselves? Is it possible to make DogTag to get those props from LDAP? I found the `DomainController.cfg` profile which has genericInputImpl which, I assume stands for some king of "generic input" and nsTokenUserKeySubjectNameDefaultImpl which has something about ldap . And I didn't find anything related CSR validation in IPA the code, please point me. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
