Thank you both, I thought something like that may be the case, The program in question is the Proxmox web GUI. It has logic that complains if the SAN features values that aren't DNS name or IP address (in /usr/share/perl5/PVE/Certificate.pm - file listed for the curious as I can't recall the licensing or find a repo location to link to). It does still work, but gets quite log spammy if it encounters any other record types in the SAN section. Really it wants commercially issued certs or something like letsencrypt. I'll see if they are up for making it less shouty (or I am capable of a submission to achieve the same) when it does encounter values outside of the ones it cares about!
Appreciate the responses/guidance as ever, David On Fri, 1 Apr 2022 at 00:53, Fraser Tweedale <[email protected]> wrote: > On Thu, Mar 31, 2022 at 09:14:39PM +0300, Alexander Bokovoy via > FreeIPA-users wrote: > > On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote: > > > Hi FreeiPA users, > > > > > > I'm having great fun with a web app that hates the othername/ NT > Principal > > > name included with certificates generated with ipa-getcert. > > > > > > I've tried several variations but can't omit this part of the subject > > > alternative name. Is there any way to do so? > > > > You may add a separate certificate profile that omits the principal and > > allow issuing with this profile. The check for the Kerberos principal is > > a part of the issuance process before the certificate request is passed > > to the CA for actual signing. Once signed, content of the certificate is > > not validated anymore. > > > > See Fraser's blog like this one: > > > https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html > > for some examples. > > > Hi David, > > +Rob > > Actually, a custom profile won't help. cert-request command > validates the SAN extension, but cannot alter it (e.g. to remove the > UPN value). So, you need to submit a CSR that does not have the UPN > otherName value. > > Unfortunately, that is not possible via Certmonger. The logic goes > like this: > > - `ipa getcert-request` requires the `--principal` option to specify > the subject principal > > - The certmonger-ipa-submit(8) submission helper sets this argument > using the value of the CERTMONGER_REQ_PRINCIPAL environment > variable (src/ipa.c ~L768) > > - The certmonger code that invokes the submission helper sets that > environment variable from the requests `template_principal` field, > if set (src/submit-e.c ~L863) > > - If the `template_principal` field is set (as it must be for the > IPA CA per above premises), the CSR will also include the > KRB5PrincipalName and UPN otherName values in the SAN extension. > > The only workaround I see is to not use Certmonger in this case. > > The proper solution is to fix whatever program is complaining about > the certificate. Are you able to say what program it is? Can you > file a support/change request? > > It would be possible to enhance Certmonger to know the principal to > tell it to `ipa cert-request` *without* also setting the > KRB5PrincipalName and UPN otherNames. But it's a non-trivial change > to handle a possibly non-conforming verifier implementation. I > would not count on it happening. > > Thanks, > Fraser > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
