cert-request currently unconditionally checks that the operator has write permission to the subject principal's userCertificate' attribute. But if the profile hasipaCertProflileStoreIssued=False` write would not even be attempted. The permission check could (should) be skipped in this case.
userCertificate' attribute. But if the profile has
Futuremore, in future we might implement support for requesting certs for subjects whose objects do not have a `userCertificate' attribute, or for external subjects, so the permission check would also be predicated on that.
As of 2016-10-24 noone has actually asked for this - it is just a shortcoming that has been observed. See related discussion: https://gist.github.com/frasertweedale/6093f2312d16b3958374cc15b55b4d63
Metadata Update from @ftweedal: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.