#6858 RFE - Option to add custom OID or display name in IPA Cert
Closed: fixed a year ago Opened 2 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1427105

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
RFE - Option to add custom OID or display name in IPA Cert

Something like this should be accepted

Template display name: Foobar Subordinate Certification Authority
Object identifier: <custome oid>

ipa-server-install --external-ca-type=ms-cs --external-ca --subject="O=Foobar 
Corp/OU=Linux Dev/C=US/ST=NY/L=FooBar"

The OID that is created with the above installation options ends up having the
following:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=Foobar Corp/OU=Linux Dev/C=US/ST=NY/L=FooBar, CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <REMOVED>
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
...

However some companies uses different time of naming convention & needs
different OID. For example something like below might be needed.

Template display name: Foobar Subordinate Certification Authority
Object identifier: <custom oid>

This is only for one environment, too. Two of our other environments do not
share the same OID. Due to these restrictions that we have, a dynamic name and
OID are necessary for us to actually be able to utilize the template field.

Justification:

It is not uncommon for organizations to utilize custom CA templates. They also
said that I may be off base by stating that an OID needs to be set; the
template name may be enough. Currently, though, I am not able to use the IdM
server as a sub CA like the feature --external-ca-type=ms-cs is implying.

Attempting this approach, will help avoiding another offline root CA, if at all possible.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427105

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427105

2 years ago

I'm taking this one. (For some reason I cannot change ticket metadata
to assign myself).

@ftweedal you need to be a project member to assign tickets to yourself.

Metadata Update from @mbasti:
- Issue assigned to ftweedal

2 years ago

@cheimes how do I become a project member on pagure?

@ftweedal I granted you "ticket" permissions for freeipa project

Metadata Update from @ftweedal:
- Issue set to the milestone: FreeIPA 4.6 (was: Future Releases)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.6.1 (was: FreeIPA 4.6)

a year ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.6.1)

a year ago

master:

  • c5afee9 cli: simplify parsing of arbitrary types
  • 1699cff Remove duplicate references to external CA type
  • b4365e3 install: allow specifying external CA template
  • fc7c684 ipa-ca-install: add --external-ca-profile option
  • 2207dc5 certmonger: refactor 'resubmit_request' and 'modify'
  • 560ee3c certmonger: add support for MS V2 template
  • 29f4ec8 ipa-cacert-manage: support MS V2 template extension
  • d43cf35 Add tests for external CA profile specifiers
  • 49c0a7b ipa-cacert-manage: handle alternative tracking request CA name
  • 75a2eda ipa-cacert-manage: avoid some duplicate string definitions

ipa-4-6:

  • 61303c7 cli: simplify parsing of arbitrary types
  • 6de5432 Remove duplicate references to external CA type
  • f612678 install: allow specifying external CA template
  • 0054cfb ipa-ca-install: add --external-ca-profile option
  • 9774af3 certmonger: refactor 'resubmit_request' and 'modify'
  • 9d8c2fc certmonger: add support for MS V2 template
  • 562f114 ipa-cacert-manage: support MS V2 template extension
  • 05be839 Add tests for external CA profile specifiers
  • d07563b ipa-cacert-manage: handle alternative tracking request CA name
  • 78d0122 ipa-cacert-manage: avoid some duplicate string definitions

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata