[Pki-users] Re: Any guide on how to design custom certificate profiles for FreeIPA Dogtag?

Well, the goal is: Make a default certificate for workstations joined FreeIPA domain (FreeIPA side) to allow them to use it as identity to authenticate against 802.1x (wired and wireless. Yes, machine auth is goal, not user) and (secondary) to protect services hosted on workstations. Possibly this should replace default FreeIPA's caIPAserviceCert. Currently I stuck with several problems: * Make a certificate enrolled from this template distinctive from other certificates by humans. This can be achieved by adding "legacy" V1 template name 1.3.6.1.4.1.311.20.2 (MS: szOID_ENROLL_CERTTYPE_EXTENSION). * Add something globally unique in moment and in time to SAN, like ldap:ipaUniqueId And several questions: * Can I add something to SAN UPN to make logic for Windows and Linux certificates on RADIUS less distinctive. * I want to avoid saving certificate with IPA. Should I modify default caIPAserviceCert, or it will be better to limit it to some hosts and services?