On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote:
Hello,
I installed the last version of DogTag but I have a problem with the
uniqueness of the Subject Name. By default I can issue more than one
certificate with the same Subject Name. The problem becomes even worst
when I use a profile based on directory authentication. So it looks that
anyone with proper credentials can issue countless number of certificate
with the same subject.
Since is it a fresh installation and only the LDAP authenticator and
publisher are configured I doubt it is an error related to any
intervention to the certificate profiles. On the other side I can't fine
in the documentation (even in the on of Red Hat Certificate Server) this
discussed in any details.
Do I do anything wrong or it is expected? Or if it is by default how
could I make it possible to limit the users using the automatic
enrolling to be able to have only one certificate?
Thank you very much in advance for your answer.
Best regards,
Veselin Kolev
Hi Veselin,
In general, it does not make sense to limit a subject to one
certificate. There are many reasons:
- different certs for different purposes for same subject
- certificates with different keys (or key types) for same subject
- the need for an "overlap" between certs that are soon to expire,
and the replacement
If you really do need to limit number of certs issued per subject,
you could write profile constraint components to enforce that. But
they do not exist already, and we are unlikely to implement them.
Thanks,
Fraser