Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1441884
Description of problem:
With the move to support PKINIT, certificates may need to be generated with
Kerberos principal. To do this, we should have a separate certprofile already
in place to create user certificates (and maybe service ones?) with kerberos
principal included in SAN.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ipa certprofile-show <profile_for_users_with_kerberos_principals>
Shows the certificate profile for creating profiles including kerberos
Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441884
Some context: there is nothing we can do in Dogtag certificate profile configuration to require the KRB5PrincipalName value or populate it automatically. This leaves a couple of possible things we could do (not mutually exclusive):
Define a user cert profile in IPA with sensible default configuration, and CSR autogeneration support for including the KRB5PrincipalName in the CSR. This will allow user to easily supply the KRB5PrincipalName in the CSR. We should then encourage users to use the CSR autogen feature, document it well, etc.
Always require KRB5PrincipalName for user certificate requests (I am not in favour of this, because it forces user to supply it even if the cert use case does not require it).
Ultimately the problem is only fully solved when IPA+Dogtag is smart enough to have profiles that can pull cert data directly from LDAP (or other valid sources) for a given subject, as outlined in https://blog-ftweedal.rhcloud.com/2015/11/freeipa-pki-current-plans-and-a-future-vision/
Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
to comment on this ticket.