This ticket is to compensate what the following group of tickets did not resolve: https://fedorahosted.org/pki/ticket/682 Add new profile plug-in preserving subject name with its encoding included in certificate request https://fedorahosted.org/pki/ticket/681 Add new profile to support CA cross signing enrollment https://fedorahosted.org/pki/ticket/448 RFE: DN consistent encoding in CSR subject DN, cert subject DN , Issuer DN, DirectoryString and PrintableString or UTF8String encoding support
First of all, the above tickets added functionality to allow "user-supplied subject DN", which means: They allow pre-generated requests (CSR) to contain encodings of their own in the subject DN, and the CA (original code) would then process it correctly by passing them "as is" to the eventual issued cert.
What they did not resolve is to allow: 1. CA itself to issue site-desired encoding(s) on its own system certs. 2. requests (without pre-generated user-supplied DN with encodings) to conform to a site-specified encodings
In this ticket, we should provide such functionality, possibly in the form of enrollment default/constraint plugins and profile(s). For example, with fix to this ticket, the profile could then be specified as: policyset.set1.p1.default.class_id=userDNwithIndividualEncodingSubjectNameDefaultImpl policyset.set1.p1.default.name=userDNwithIndividualEncodingSubjectNameDefault policyset.set1.p1.default.params.dnpattern=CN=uid=<PrintableString>$request.uid$,cn=<UTF8String>$request.cn$,<UTF8String>ou=$request.upn$, <UTF8String>o=example, <PrintableString>C=$request.c$
policyset.set1.p1.default.params.ldap.enable=true policyset.set1.p1.default.params.ldap.searchName=uid policyset.set1.p1.default.params.ldapStringAttributes=uid,cn,c,upn policyset.set1.p1.default.params.ldap.basedn=ou=People,dc=example,dc=com policyset.set1.p1.default.params.ldap.maxConns=4 policyset.set1.p1.default.params.ldap.minConns=1 policyset.set1.p1.default.params.ldap.ldapconn.Version=2 policyset.set1.p1.default.params.ldap.ldapconn.host=localhost.localdomain policyset.set1.p1.default.params.ldap.ldapconn.port=389 policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false
Metadata Update from @cfu: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1426
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.