On Fri, Aug 29, 2025 at 11:45:20AM -0600, Orion Poplawski via FreeIPA-users 
wrote:
> That's unfortunate.  However, there is a bigger problem - the email address
> isn't making it into the certificate.
> 
> I generated the request with:
> 
> certutil -R -d /etc/pki/nssdb -a -s 'CN=it_help, E=it_h...@nwra.com,
> O=NorthWest Research Associates'
> 
> but the cert just has:
> 
>         Subject: O=NWRA.COM, CN=it_help

Include an RFC822Name in the Subject Alternative Name extension.
It will be validated against the subject principal's 'mail'
attribute values and propagated to the certificate.

Cheers,
Fraser

> > > 
> > > auth.instance_id=raCertAuth
> > > classId=caEnrollImpl
> > > desc=This certificate profile is for enrolling user certificates
> > > with S/MIME capabilities extension
> > > enable=true
> > > enableBy=ipara
> > > input.i1.class_id=certReqInputImpl
> > > input.i2.class_id=submitterInfoInputImpl
> > > input.list=i1,i2
> > > name=Manual User S/MIME capabilities Certificate Enrollment
> > > output.list=o1
> > > output.o1.class_id=certOutputImpl
> > > policyset.list=serverCertSet
> > > policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
> > > policyset.serverCertSet.1.constraint.name=Subject Name Constraint
> > > policyset.serverCertSet.1.constraint.params.accept=true
> > > policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
> > > policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
> > > policyset.serverCertSet.1.default.name=Subject Name Default
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  O=NWRA.COM
> > > policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.10.constraint.name=No Constraint
> > > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
> > > policyset.serverCertSet.10.default.name=Subject Key Identifier
> > > Extension Default
> > > policyset.serverCertSet.10.default.params.critical=false
> > > policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.11.constraint.name=No Constraint
> > > policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
> > > policyset.serverCertSet.11.default.name=User Supplied Extension Default
> > > policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
> > > policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.12.constraint.name=No Constraint
> > > policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
> > > policyset.serverCertSet.12.default.name=Copy Common Name to Subject
> > > Alternative Name
> > > policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
> > > policyset.serverCertSet.2.constraint.name=Validity Constraint
> > > policyset.serverCertSet.2.constraint.params.notAfterCheck=false
> > > policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
> > > policyset.serverCertSet.2.constraint.params.range=740
> > > policyset.serverCertSet.2.default.class_id=validityDefaultImpl
> > > policyset.serverCertSet.2.default.name=Validity Default
> > > policyset.serverCertSet.2.default.params.range=731
> > > policyset.serverCertSet.2.default.params.startTime=0
> > > policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
> > > policyset.serverCertSet.3.constraint.name=Key Constraint
> > > policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
> > > policyset.serverCertSet.3.constraint.params.keyType=RSA
> > > policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
> > > policyset.serverCertSet.3.default.name=Key Default
> > > policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.4.constraint.name=No Constraint
> > > policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
> > > policyset.serverCertSet.4.default.name=Authority Key Identifier Default
> > > policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.5.constraint.name=No Constraint
> > > policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
> > > policyset.serverCertSet.5.default.name=AIA Extension Default
> > > policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
> > > policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
> > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.nwra.com/ca/ocsp
> > > policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
> > > policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
> > > policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
> > > policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
> > > policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
> > > policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
> > > policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
> > > policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
> > > policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
> > > policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
> > > policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
> > > policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
> > > policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
> > > policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
> > > policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
> > > policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
> > > policyset.serverCertSet.6.default.name=Key Usage Default
> > > policyset.serverCertSet.6.default.params.keyUsageCritical=true
> > > policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
> > > policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
> > > policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
> > > policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
> > > policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
> > > policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
> > > policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
> > > policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
> > > policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
> > > policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.7.constraint.name=No Constraint
> > > policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
> > > policyset.serverCertSet.7.default.name=Extended Key Usage Extension
> > > Default
> > > policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
> > > policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
> > > policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
> > > policyset.serverCertSet.8.constraint.name=No Constraint
> > > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
> > > policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
> > > policyset.serverCertSet.8.default.name=Signing Alg
> > > policyset.serverCertSet.8.default.params.signingAlg=-
> > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
> > > policyset.serverCertSet.9.constraint.name=No Constraint
> > > policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
> > > policyset.serverCertSet.9.default.name=CRL Distribution Points
> > > Extension Default
> > > policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
> > > policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
> > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate
> > >  Authority,o=ipaca
> > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
> > > policyset.serverCertSet.9.default.params.crlDistPointsNum=1
> > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.nwra.com/ipa/crl/MasterCRL.bin
> > > policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
> > > policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
> > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
> > > profileId=userSMIMECert
> > > visible=false
> > > 
> > > 
> > > -- 
> > > Orion Poplawski
> > > he/him/his  - surely the least important thing about me
> > > IT Systems Manager                         720-772-5637
> > > NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> > > 3380 Mitchell Lane                       or...@nwra.com
> > > Boulder, CO 80301                 https://www.nwra.com/
> > > 
> > > -- 
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-
> > > le...@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/ code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-
> > > us...@lists.fedorahosted.org
> > > Do not reply to spam, report it: https://pagure.io/fedora-
> > > infrastructure/new_issue
> > 
> > 
> > 
> 
> 
> -- 
> Orion Poplawski
> he/him/his  - surely the least important thing about me
> IT Systems Manager                         720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       or...@nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
> -- 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to