Thank you both, I thought something like that may be the case,

The program in question is the Proxmox web GUI. It has logic that complains if the SAN features values that aren't DNS name or IP address (in /usr/share/perl5/PVE/Certificate.pm - file listed for the curious as I can't recall the licensing or find a repo location to link to). It does still work, but gets quite log spammy if it encounters any other record types in the SAN section. Really it wants commercially issued certs or something like letsencrypt. I'll see if they are up for making it less shouty (or I am capable of a submission to achieve the same) when it does encounter values outside of the ones it cares about!

Appreciate the responses/guidance as ever,

David




On Fri, 1 Apr 2022 at 00:53, Fraser Tweedale <ftweedal@redhat.com> wrote:
On Thu, Mar 31, 2022 at 09:14:39PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
> On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote:
> > Hi FreeiPA users,
> >
> > I'm having great fun with a web app that hates the othername/ NT Principal
> > name included with certificates generated with ipa-getcert.
> >
> > I've tried several variations but can't omit this part of the subject
> > alternative name. Is there any way to do so?
>
> You may add a separate certificate profile that omits the principal and
> allow issuing with this profile. The check for the Kerberos principal is
> a part of the issuance process before the certificate request is passed
> to the CA for actual signing. Once signed, content of the certificate is
> not validated anymore.
>
> See Fraser's blog like this one:
> https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html
> for some examples.
>
Hi David,

+Rob

Actually, a custom profile won't help.  cert-request command
validates the SAN extension, but cannot alter it (e.g. to remove the
UPN value).  So, you need to submit a CSR that does not have the UPN
otherName value.

Unfortunately, that is not possible via Certmonger.  The logic goes
like this:

- `ipa getcert-request` requires the `--principal` option to specify
  the subject principal

- The certmonger-ipa-submit(8) submission helper sets this argument
  using the value of the CERTMONGER_REQ_PRINCIPAL environment
  variable (src/ipa.c ~L768)

- The certmonger code that invokes the submission helper sets that
  environment variable from the requests `template_principal` field,
  if set (src/submit-e.c ~L863)

- If the `template_principal` field is set (as it must be for the
  IPA CA per above premises), the CSR will also include the
  KRB5PrincipalName and UPN otherName values in the SAN extension.

The only workaround I see is to not use Certmonger in this case.

The proper solution is to fix whatever program is complaining about
the certificate.  Are you able to say what program it is?  Can you
file a support/change request?

It would be possible to enhance Certmonger to know the principal to
tell it to `ipa cert-request` *without* also setting the
KRB5PrincipalName and UPN otherNames.  But it's a non-trivial change
to handle a possibly non-conforming verifier implementation.  I
would not count on it happening.

Thanks,
Fraser