cert-request currently unconditionally checks that the operator has
write permission to the subject principal's userCertificate' attribute.
But if the profile hasipaCertProflileStoreIssued=False` write would not
even be attempted. The permission check could (should) be skipped in
But if the profile has
Futuremore, in future we might implement support for requesting certs
for subjects whose objects do not have a `userCertificate' attribute,
or for external subjects, so the permission check would also be predicated
As of 2016-10-24 noone has actually asked for this - it is just a shortcoming
that has been observed. See related discussion:
Metadata Update from @ftweedal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
to comment on this ticket.