On Fri, Aug 29, 2025 at 11:45:20AM -0600, Orion Poplawski via FreeIPA-users wrote: > That's unfortunate. However, there is a bigger problem - the email address > isn't making it into the certificate. > > I generated the request with: > > certutil -R -d /etc/pki/nssdb -a -s 'CN=it_help, E=it_h...@nwra.com, > O=NorthWest Research Associates' > > but the cert just has: > > Subject: O=NWRA.COM, CN=it_help
Include an RFC822Name in the Subject Alternative Name extension. It will be validated against the subject principal's 'mail' attribute values and propagated to the certificate. Cheers, Fraser > > > > > > auth.instance_id=raCertAuth > > > classId=caEnrollImpl > > > desc=This certificate profile is for enrolling user certificates > > > with S/MIME capabilities extension > > > enable=true > > > enableBy=ipara > > > input.i1.class_id=certReqInputImpl > > > input.i2.class_id=submitterInfoInputImpl > > > input.list=i1,i2 > > > name=Manual User S/MIME capabilities Certificate Enrollment > > > output.list=o1 > > > output.o1.class_id=certOutputImpl > > > policyset.list=serverCertSet > > > policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl > > > policyset.serverCertSet.1.constraint.name=Subject Name Constraint > > > policyset.serverCertSet.1.constraint.params.accept=true > > > policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ > > > policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl > > > policyset.serverCertSet.1.default.name=Subject Name Default > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > > O=NWRA.COM > > > policyset.serverCertSet.10.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.10.constraint.name=No Constraint > > > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl > > > policyset.serverCertSet.10.default.name=Subject Key Identifier > > > Extension Default > > > policyset.serverCertSet.10.default.params.critical=false > > > policyset.serverCertSet.11.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.11.constraint.name=No Constraint > > > policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl > > > policyset.serverCertSet.11.default.name=User Supplied Extension Default > > > policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 > > > policyset.serverCertSet.12.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.12.constraint.name=No Constraint > > > policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl > > > policyset.serverCertSet.12.default.name=Copy Common Name to Subject > > > Alternative Name > > > policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl > > > policyset.serverCertSet.2.constraint.name=Validity Constraint > > > policyset.serverCertSet.2.constraint.params.notAfterCheck=false > > > policyset.serverCertSet.2.constraint.params.notBeforeCheck=false > > > policyset.serverCertSet.2.constraint.params.range=740 > > > policyset.serverCertSet.2.default.class_id=validityDefaultImpl > > > policyset.serverCertSet.2.default.name=Validity Default > > > policyset.serverCertSet.2.default.params.range=731 > > > policyset.serverCertSet.2.default.params.startTime=0 > > > policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl > > > policyset.serverCertSet.3.constraint.name=Key Constraint > > > policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > > > policyset.serverCertSet.3.constraint.params.keyType=RSA > > > policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl > > > policyset.serverCertSet.3.default.name=Key Default > > > policyset.serverCertSet.4.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.4.constraint.name=No Constraint > > > policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl > > > policyset.serverCertSet.4.default.name=Authority Key Identifier Default > > > policyset.serverCertSet.5.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.5.constraint.name=No Constraint > > > policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl > > > policyset.serverCertSet.5.default.name=AIA Extension Default > > > policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.nwra.com/ca/ocsp > > > policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 > > > policyset.serverCertSet.5.default.params.authInfoAccessCritical=false > > > policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 > > > policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl > > > policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint > > > policyset.serverCertSet.6.constraint.params.keyUsageCritical=true > > > policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false > > > policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true > > > policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false > > > policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true > > > policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false > > > policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false > > > policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false > > > policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true > > > policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true > > > policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl > > > policyset.serverCertSet.6.default.name=Key Usage Default > > > policyset.serverCertSet.6.default.params.keyUsageCritical=true > > > policyset.serverCertSet.6.default.params.keyUsageCrlSign=false > > > policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true > > > policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false > > > policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true > > > policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false > > > policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false > > > policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false > > > policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true > > > policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true > > > policyset.serverCertSet.7.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.7.constraint.name=No Constraint > > > policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl > > > policyset.serverCertSet.7.default.name=Extended Key Usage Extension > > > Default > > > policyset.serverCertSet.7.default.params.exKeyUsageCritical=false > > > policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 > > > policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl > > > policyset.serverCertSet.8.constraint.name=No Constraint > > > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC > > > policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl > > > policyset.serverCertSet.8.default.name=Signing Alg > > > policyset.serverCertSet.8.default.params.signingAlg=- > > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > > > policyset.serverCertSet.9.constraint.name=No Constraint > > > policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl > > > policyset.serverCertSet.9.default.name=CRL Distribution Points > > > Extension Default > > > policyset.serverCertSet.9.default.params.crlDistPointsCritical=false > > > policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate > > > Authority,o=ipaca > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName > > > policyset.serverCertSet.9.default.params.crlDistPointsNum=1 > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.nwra.com/ipa/crl/MasterCRL.bin > > > policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName > > > policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 > > > profileId=userSMIMECert > > > visible=false > > > > > > > > > -- > > > Orion Poplawski > > > he/him/his - surely the least important thing about me > > > IT Systems Manager 720-772-5637 > > > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > > > 3380 Mitchell Lane or...@nwra.com > > > Boulder, CO 80301 https://www.nwra.com/ > > > > > > -- > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users- > > > le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa- > > > us...@lists.fedorahosted.org > > > Do not reply to spam, report it: https://pagure.io/fedora- > > > infrastructure/new_issue > > > > > > > > > -- > Orion Poplawski > he/him/his - surely the least important thing about me > IT Systems Manager 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue