On Tue, Nov 05, 2024 at 03:59:51PM -0000, Alexey Filimonov via FreeIPA-users wrote: > > What program generates the CSR? Most programs don't provide a > > convenient way to add DirectoryName and UUID SAN values. But where > > there is a will, there is a way. > > ipa-getcert request --id=802_1x --profile=ca802_1xCert \ > Certmonger (getcert) does not provide a way to set DirectoryName or URI values in the generated CSRs. This is a valid RFE (and feasible).
> > Because of the way the Dogtag/IPA integration works, all data must > > be supplied via the CSR (so FreeIPA cannot modify them). > > And what about `GenericInputImpl`? Isn't it may be used to provide additional > data from IPA? This could be an interesting experiement, but in my experience the profile input and templating system is extremely brittle. Even if it could be made robust and general enough for real world use cases, IPA would have to be taught (i.e. hard coded) which attributes to propagate to the request. Because we would have to change IPA anyway, I think the better approach is to update IPA to verify the UUID (URI) and DirectoryName SAN values against the subject principal's LDAP entry. This approach is straightforward to implement, and robust. But it also requires those SAN values to be defined in the CSR and, as discussed above, Certmonger does not yet support that. We can achieve what you want through these modest RFEs for FreeIPA and Certmonger. It is up to the IPA team to consider them. But I think they are unlikely to accept proposals that are more effort than what I have proposed, or less well understood Cheers, Fraser > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
