Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-5139

Limit OIDs that are acceptable in Extension Override

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.7.0
    • Component/s: None
    • Labels:
      None
    • Sprint:
      6.7.0 Roundup

      Description

      If we allow "extension override" in certificate profiles, all extensions passed by the RA will be put into the issued certificate. It would be good to be able to also configure "overridable extension OIDs". So if for example:

      • Allow Extension Override is enabled in the Certificate Profile
      • Overridable Extension OIDs is set to 1.1.1.2 in the Certificate Profile
      • A CMP request comes in with extensions 1.1.1.1 and 1.1.1.2
      • The issued certificate will include the extension 1.1.1.2, but not 1.1.1.1

      Currently the issued certificate will contain both 1.1.1.1 and 1.1.1.2, there is no way to limit what the RA can do with extension override.

      • If "Overridable Extension OIDs" is not set (null/empty) above, everything is allowed and the certificate will include 1.1.1.1 and 1.1.1.2.

        Attachments

          Activity

            People

            Assignee:
            tomas Tomas Gustavsson
            Reporter:
            tomas Tomas Gustavsson
            Verified by:
            Mike Agrenius Kushner
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: