An upstream ticket was created for this https://pagure.io/freeipa/issue/9846 . I imagine most further discussion will happen there.
rob Orion Poplawski via FreeIPA-users wrote: > On 8/29/25 01:25, Alexander Bokovoy wrote: >> On Чцв, 28 жні 2025, Orion Poplawski via FreeIPA-users wrote: >>> We are trying to leverage our IPA infrastructure to issue S/MIME >>> certificate for email aliases that we have in use at the company. I >>> created a userSMIMECert profile using the instructions here: >>> >>> https://access.redhat.com/solutions/6982899 >>> >>> But I'm running into this constraint: >>> >>> invalid 'csr': DN commonName does not match user's login >>> >>> Which I don't think is appropriate for S/MIME certs - the commonName >>> is generally the "Full Name" of the user. How do I remove that >>> constraint? The profile is: >> >> This is hard-coded in the IPA certificate issuance validation before we >> pass the request to Dogtag CA: >> >> elif principal_type == USER: >> # check user name >> if cn != principal.username: >> raise errors.ValidationError( >> name='csr', >> error=_("DN commonName does not match user's login") >> ) >> >> # check email address >> # >> >> It is one of requirements we have in IPA for the users to have the same >> CN in the certificates as their usernames. Sure, this might not apply to >> S/MIME certs but it is currently cannot be changed. > > That's unfortunate. However, there is a bigger problem - the email > address isn't making it into the certificate. > > I generated the request with: > > certutil -R -d /etc/pki/nssdb -a -s 'CN=it_help, [email protected], > O=NorthWest Research Associates' > > but the cert just has: > > Subject: O=NWRA.COM, CN=it_help > >>> >>> auth.instance_id=raCertAuth >>> classId=caEnrollImpl >>> desc=This certificate profile is for enrolling user certificates with >>> S/MIME capabilities extension >>> enable=true >>> enableBy=ipara >>> input.i1.class_id=certReqInputImpl >>> input.i2.class_id=submitterInfoInputImpl >>> input.list=i1,i2 >>> name=Manual User S/MIME capabilities Certificate Enrollment >>> output.list=o1 >>> output.o1.class_id=certOutputImpl >>> policyset.list=serverCertSet >>> policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl >>> policyset.serverCertSet.1.constraint.name=Subject Name Constraint >>> policyset.serverCertSet.1.constraint.params.accept=true >>> policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ >>> policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl >>> policyset.serverCertSet.1.default.name=Subject Name Default >>> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, >>> O=NWRA.COM >>> policyset.serverCertSet.10.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.10.constraint.name=No Constraint >>> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl >>> >>> policyset.serverCertSet.10.default.name=Subject Key Identifier >>> Extension Default >>> policyset.serverCertSet.10.default.params.critical=false >>> policyset.serverCertSet.11.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.11.constraint.name=No Constraint >>> policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl >>> policyset.serverCertSet.11.default.name=User Supplied Extension Default >>> policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 >>> policyset.serverCertSet.12.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.12.constraint.name=No Constraint >>> policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl >>> policyset.serverCertSet.12.default.name=Copy Common Name to Subject >>> Alternative Name >>> policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl >>> policyset.serverCertSet.2.constraint.name=Validity Constraint >>> policyset.serverCertSet.2.constraint.params.notAfterCheck=false >>> policyset.serverCertSet.2.constraint.params.notBeforeCheck=false >>> policyset.serverCertSet.2.constraint.params.range=740 >>> policyset.serverCertSet.2.default.class_id=validityDefaultImpl >>> policyset.serverCertSet.2.default.name=Validity Default >>> policyset.serverCertSet.2.default.params.range=731 >>> policyset.serverCertSet.2.default.params.startTime=0 >>> policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl >>> policyset.serverCertSet.3.constraint.name=Key Constraint >>> policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 >>> >>> policyset.serverCertSet.3.constraint.params.keyType=RSA >>> policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl >>> policyset.serverCertSet.3.default.name=Key Default >>> policyset.serverCertSet.4.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.4.constraint.name=No Constraint >>> policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl >>> >>> policyset.serverCertSet.4.default.name=Authority Key Identifier Default >>> policyset.serverCertSet.5.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.5.constraint.name=No Constraint >>> policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl >>> policyset.serverCertSet.5.default.name=AIA Extension Default >>> policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true >>> policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName >>> >>> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.nwra.com/ca/ocsp >>> >>> policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 >>> >>> policyset.serverCertSet.5.default.params.authInfoAccessCritical=false >>> policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 >>> policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl >>> policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint >>> policyset.serverCertSet.6.constraint.params.keyUsageCritical=true >>> policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false >>> policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true >>> >>> policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false >>> policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true >>> >>> policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false >>> policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false >>> policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false >>> policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true >>> policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true >>> policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl >>> policyset.serverCertSet.6.default.name=Key Usage Default >>> policyset.serverCertSet.6.default.params.keyUsageCritical=true >>> policyset.serverCertSet.6.default.params.keyUsageCrlSign=false >>> policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true >>> policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false >>> policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true >>> policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false >>> policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false >>> policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false >>> policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true >>> policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true >>> policyset.serverCertSet.7.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.7.constraint.name=No Constraint >>> policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl >>> >>> policyset.serverCertSet.7.default.name=Extended Key Usage Extension >>> Default >>> policyset.serverCertSet.7.default.params.exKeyUsageCritical=false >>> policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 >>> >>> policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl >>> policyset.serverCertSet.8.constraint.name=No Constraint >>> policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC >>> >>> policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl >>> policyset.serverCertSet.8.default.name=Signing Alg >>> policyset.serverCertSet.8.default.params.signingAlg=- >>> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.9.constraint.name=No Constraint >>> policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl >>> >>> policyset.serverCertSet.9.default.name=CRL Distribution Points >>> Extension Default >>> policyset.serverCertSet.9.default.params.crlDistPointsCritical=false >>> policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true >>> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate >>> Authority,o=ipaca >>> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName >>> >>> policyset.serverCertSet.9.default.params.crlDistPointsNum=1 >>> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.nwra.com/ipa/crl/MasterCRL.bin >>> >>> policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName >>> >>> policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= >>> policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 >>> profileId=userSMIMECert >>> visible=false >>> >>> >>> -- >>> Orion Poplawski >>> he/him/his - surely the least important thing about me >>> IT Systems Manager 720-772-5637 >>> NWRA, Boulder/CoRA Office FAX: 303-415-9702 >>> 3380 Mitchell Lane [email protected] >>> Boulder, CO 80301 https://www.nwra.com/ >>> >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to freeipa-users- >>> [email protected] >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ >>> code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa- >>> [email protected] >>> Do not reply to spam, report it: https://pagure.io/fedora- >>> infrastructure/new_issue >> >> >> > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
