Re: [Pki-devel] question on subject patterns

In IPA we use a profile that automatically issues server certificates. It uses a pattern to pluck the hostname out of the CSR and sticks that into a user-configurable subject template. The pattern is policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ The template by default looks like policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA We discovered that if CN is an RDN in the subject template then certificates get the wrong subject. For example, if we use CN=Test then the issued subject ends up being CN=Test, CN=Test. If we use CN=Test, CN=Coyote, O=Acme the issued subject is CN=Coyote,CN=Test,CN=Coyote,O=Acme We are creating the CSR with: /usr/bin/certutil -d /etc/httpd/alias -R -s CN=pinto.example.com,OU=Test,CN=Coyote,O=Acme -o /var/lib/ipa/ipa-iem5hd/tmpcertreq -k rsa -g 2048 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt -a So my questions are: 1. Do we just need to tweak the pattern? 2. Do I need to ban CN as an element of subjects? If it exists anywhere in the subject template it messes up the replacemnt.