On Thu, Mar 31, 2022 at 09:14:39PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
> On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote:
> > Hi FreeiPA users,
> >
> > I'm having great fun with a web app that hates the othername/ NT Principal
> > name included with certificates generated with ipa-getcert.
> >
> > I've tried several variations but can't omit this part of the subject
> > alternative name. Is there any way to do so?
>
> You may add a separate certificate profile that omits the principal and
> allow issuing with this profile. The check for the Kerberos principal is
> a part of the issuance process before the certificate request is passed
> to the CA for actual signing. Once signed, content of the certificate is
> not validated anymore.
>
> See Fraser's blog like this one:
> https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html
> for some examples.
>
Hi David,
+Rob
Actually, a custom profile won't help. cert-request command
validates the SAN extension, but cannot alter it (e.g. to remove the
UPN value). So, you need to submit a CSR that does not have the UPN
otherName value.
Unfortunately, that is not possible via Certmonger. The logic goes
like this:
- `ipa getcert-request` requires the `--principal` option to specify
the subject principal
- The certmonger-ipa-submit(8) submission helper sets this argument
using the value of the CERTMONGER_REQ_PRINCIPAL environment
variable (src/ipa.c ~L768)
- The certmonger code that invokes the submission helper sets that
environment variable from the requests `template_principal` field,
if set (src/submit-e.c ~L863)
- If the `template_principal` field is set (as it must be for the
IPA CA per above premises), the CSR will also include the
KRB5PrincipalName and UPN otherName values in the SAN extension.
The only workaround I see is to not use Certmonger in this case.
The proper solution is to fix whatever program is complaining about
the certificate. Are you able to say what program it is? Can you
file a support/change request?
It would be possible to enhance Certmonger to know the principal to
tell it to `ipa cert-request` *without* also setting the
KRB5PrincipalName and UPN otherNames. But it's a non-trivial change
to handle a possibly non-conforming verifier implementation. I
would not count on it happening.
Thanks,
Fraser