How to always add an attribute / value combination to an SDN? #606
-
|
I have been given the requirement to ensure that all certificates issued by an End-Entity-Profile include a specific attribute/value combination in the Subject Distinguished Name (SDN), such as OU=For testing only. Since the Certificate Signing Requests (CSRs) used to initiate certificate issuance are beyond my control, I need a method to either overwrite the value coming from the CSR or add this field. Is there a way to accomplish this? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
There are many ways here depending on how you use EJBCA, I think you know :-). I suspect you may be looking for this feature though? |
Beta Was this translation helpful? Give feedback.
-
|
This is the feature I was looking for. Thank you very much. Interestingly I couldn't activate it on my EJBCA Community Edition 8.0 in my devlab but on our productive 8.2 Enterprise Edition it is working. Probably I have a deeper misconfiguration, but I wanted to mention this behavior, in case someone else runs into the same problem and finds this thread. For my purposes, this is sufficient. |
Beta Was this translation helpful? Give feedback.
There are many ways here depending on how you use EJBCA, I think you know :-).
You can ignore what's in the CSR completely (default behavior, nothing is trusted from the end entity), so only what you have pre-registered is used.
End entity profiles can control much on what is required or not required, optional, exact values, regexp validation, etc etc.
I suspect you may be looking for this feature though?
https://docs.keyfactor.com/ejbca/latest/end-entity-profiles-fields#id-(8.3.1latest)EndEntityProfilesFields-AllowmergeDNacrossallinterfacesAllow_merge_DN_Webservices