Dears, I have found https://github.com/dogtagpki/pki/wiki/Certificate-Profiles with the flow chart on end entity enrollment. Our organisation makes it very hard to use LDAP and more easy to use SAML/ OIDC. This issue was brought up some years ago already in the user mailing list with a brief answer on looking into proxying the web interface through apache with e.g. mod_auth_openidc. https://github.com/OpenIDC/mod_auth_openidc Can you please help me to understand how 1) I could set in certificate profiles the default to HTTP Server header values? (I guess this is how integration with mod_auth_openidc would work) 2) I could set in certificate profiles the constraint accordingly. Best regards, Robert