freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#5190 Users cannot self-issue certificate with SAN

Created 2 years ago by ftweedal
Modified 8 months ago

Reported by abokovoy.

[root@id ~]# ipa certprofile-find
------------------
2 profiles matched
------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

  Profile ID: caIPAsmimeCert
  Profile description: S/MIME certificates
  Store issued certificates: TRUE
----------------------------
Number of entries returned 2
----------------------------
[root@id ~]# ipa certprofile-show caIPAsmimeCert
  Profile ID: caIPAsmimeCert
  Profile description: S/MIME certificates
  Store issued certificates: TRUE
[root@id ~]# ipa caacl-find
-----------------
2 CA ACLs matched
-----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  User category: all
  Host category: all
  Profiles: caIPAserviceCert

  ACL name: smime_acl
  Enabled: TRUE
  Profiles: caIPAsmimeCert
  User Groups: smime_users
----------------------------
Number of entries returned 2
----------------------------
[root@id ~]# ipa group-show smime_users
  Group name: smime_users
  GID: 1792600006
  Member users: abokovoy

....

[abokovoy@onega freeipa-ca]$ ipa  cert-request ab-vdali.csr --principal abokovoy --profile-id caIPAsmimeCert
ipa: ERROR: Insufficient access: not allowed to perform this command

A user should be able to issue a certificate with an rfc822Name SAN (subject
to caacl).

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1200694 (Red Hat Enterprise Linux 7)

master:

  • 6f8b0ed Give more info on virtual command access denial
  • aafc0e9 Allow SAN extension for cert-request self-service

ipa-4-2:

  • 8cc61cc Give more info on virtual command access denial
  • 0e44568 Allow SAN extension for cert-request self-service
8 months ago

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.2.1

Login to comment on this ticket.

defect

Certificate management

1

https://bugzilla.redhat.com/show_bug.cgi?id=1200694

cancel