My setup has an extra certificate profile caIPAserviceCertWild for issuing wildcard certificates.
The way this works is that a certificate request is made for a service HTTP/apps.ocp.example.qq. The certificate profile arranges for the issued certificate to be for *.apps.ocp.example.qq.
In order for freeipa-issuer to be able to use this profile, there needs to be a way to specify the certificate profile in the Issuer object.
(BTW, I was thinking that the principal (host vs service), CA, certificate profile, and so on are really properties of the certificate request, rather than the issuer. One way to make these fields be per-request might be to read them from the annotations of the Certificate object. That way users wouldn't need to create a new Issuer for each additional combination of host/service/ca/profile...)
My setup has an extra certificate profile
caIPAserviceCertWild
for issuing wildcard certificates.The way this works is that a certificate request is made for a service
HTTP/apps.ocp.example.qq
. The certificate profile arranges for the issued certificate to be for*.apps.ocp.example.qq
.In order for
freeipa-issuer
to be able to use this profile, there needs to be a way to specify the certificate profile in theIssuer
object.(BTW, I was thinking that the principal (host vs service), CA, certificate profile, and so on are really properties of the certificate request, rather than the issuer. One way to make these fields be per-request might be to read them from the annotations of the
Certificate
object. That way users wouldn't need to create a newIssuer
for each additional combination of host/service/ca/profile...)