In IPA we use a profile that automatically issues server certificates.
It uses a pattern to pluck the hostname out of the CSR and sticks that
into a user-configurable subject template.
The pattern is
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
The template by default looks like
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
OU=pki-ipa, O=IPA
We discovered that if CN is an RDN in the subject template then
certificates get the wrong subject.
For example, if we use CN=Test then the issued subject ends up being
CN=Test, CN=Test.
If we use CN=Test, CN=Coyote, O=Acme the issued subject is
CN=Coyote,CN=Test,CN=Coyote,O=Acme
We are creating the CSR with:
/usr/bin/certutil -d /etc/httpd/alias -R -s
CN=pinto.example.com,OU=Test,CN=Coyote,O=Acme -o
/var/lib/ipa/ipa-iem5hd/tmpcertreq -k rsa -g 2048 -z
/etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt -a
So my questions are:
1. Do we just need to tweak the pattern?
2. Do I need to ban CN as an element of subjects? If it exists anywhere
in the subject template it messes up the replacemnt.
thanks
rob