On Sun, Apr 02, 2017 at 03:35:25PM -0700, Vesselin Kolev wrote:
Thank you for the direct and clear answer, Fraser!
I do understand the reason why it is possible to have more than one
certificate with the same subjectName. But sometimes there are specific
requirements for the client. I will implement a constraint and try to
solve the problem it that way.
Good luck. Reach out if you have specific questions.
Best regards,
Veselin
On 04/02/2017 03:23 PM, Fraser Tweedale wrote:
> On Sat, Apr 01, 2017 at 05:17:42PM -0700, Vesselin Kolev wrote:
>> Hello,
>>
>> I installed the last version of DogTag but I have a problem with the
>> uniqueness of the Subject Name. By default I can issue more than one
>> certificate with the same Subject Name. The problem becomes even worst
>> when I use a profile based on directory authentication. So it looks that
>> anyone with proper credentials can issue countless number of certificate
>> with the same subject.
>>
>> Since is it a fresh installation and only the LDAP authenticator and
>> publisher are configured I doubt it is an error related to any
>> intervention to the certificate profiles. On the other side I can't fine
>> in the documentation (even in the on of Red Hat Certificate Server) this
>> discussed in any details.
>>
>> Do I do anything wrong or it is expected? Or if it is by default how
>> could I make it possible to limit the users using the automatic
>> enrolling to be able to have only one certificate?
>>
>> Thank you very much in advance for your answer.
>>
>> Best regards,
>>
>> Veselin Kolev
>>
> Hi Veselin,
>
> In general, it does not make sense to limit a subject to one
> certificate. There are many reasons:
>
> - different certs for different purposes for same subject
>
> - certificates with different keys (or key types) for same subject
>
> - the need for an "overlap" between certs that are soon to expire,
> and the replacement
>
> If you really do need to limit number of certs issued per subject,
> you could write profile constraint components to enforce that. But
> they do not exist already, and we are unlikely to implement them.
>
> Thanks,
> Fraser