#6912 IPA missing definitions of Kerberos principal in CSR profiles in client code
Opened 2 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1441884

Description of problem:

With the move to support PKINIT, certificates may need to be generated with
Kerberos principal.  To do this, we should have a separate certprofile already
in place to create user certificates (and maybe service ones?) with kerberos
principal included in SAN.

Version-Release number of selected component (if applicable):
4.5.0-4.el7

How reproducible:
always

Steps to Reproduce:
1.  ipa certprofile-show <profile_for_users_with_kerberos_principals>

Actual results:
nothing listed

Expected results:
Shows the certificate profile for creating profiles including kerberos
principal.

Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441884

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441884

2 years ago

Some context: there is nothing we can do in Dogtag certificate profile configuration to require the KRB5PrincipalName value or populate it automatically. This leaves a couple of possible things we could do (not mutually exclusive):

  1. Define a user cert profile in IPA with sensible default configuration, and CSR autogeneration support for including the KRB5PrincipalName in the CSR. This will allow user to easily supply the KRB5PrincipalName in the CSR. We should then encourage users to use the CSR autogen feature, document it well, etc.

  2. Always require KRB5PrincipalName for user certificate requests (I am not in favour of this, because it forces user to supply it even if the cert use case does not require it).


Ultimately the problem is only fully solved when IPA+Dogtag is smart enough to have profiles that can pull cert data directly from LDAP (or other valid sources) for a given subject, as outlined in https://blog-ftweedal.rhcloud.com/2015/11/freeipa-pki-current-plans-and-a-future-vision/

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata