#7322 cert_find --subject is not finding by cert subject
Closed: fixed 6 months ago by cheimes. Opened a year ago by cheimes.

The ipa cert_find command has an option called --subject. The option is documented as --subject=STR Subject. As a user and as a developer I also expect that a --subject option searches by X.509 subject field. But that is not the case:

$ ipa cert_find --subject="CN=OCSP Subsystem,O=IPA.EXAMPLE" 
0 certificates matched
Number of entries returned 0

In fact ipa cert_find --subject matches by CN value, not by subject. This is highly confusing.

$ ipa cert_find --subject="OCSP Subsystem" 
1 certificate matched
  Issuing CA: ipa
  Subject: CN=OCSP Subsystem,O=IPA.EXAMPLE
  Issuer: CN=Certificate Authority,O=IPA.EXAMPLE
  Not Before: Tue Nov 28 21:12:27 2017 UTC
  Not After: Mon Nov 18 21:12:27 2019 UTC
  Serial number: 2
  Serial number (hex): 0x2
  Status: VALID
  Revoked: False
Number of entries returned 1

Issue 1

--subject should be properly documented to take a CN and not a cert subject. Perhaps the option should be renamed to --cn in the long run?

Issue 2

There should be a way to search for a cert by cert subject string. There is a small twist as there are at multiple ways to normalize and print a subject:

1) LDAP order CN=OCSP Subsystem,O=IPA.EXAMPLE
2) LDAP order with spaces CN=OCSP Subsystem, O=IPA.EXAMPLE
3) OpenSSL order O=IPA.EXAMPLE, CN=OCSP Subsystem
4) OpenSSL order with slashes /O=IPA.EXAMPLE/CN=OCSP Subsystem

Alexander suggested that we should look for an = in the value passed in.

If it contains an = then treat it as a full subject (which may need to be normalized)

If not then treat it as a CN as it is now.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.7

11 months ago


  • 326fd6a Match Common Name attribute in Subject

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

Login to comment on this ticket.