From ec5dec4a165071e661720e8ac43491ba38e43887 Mon Sep 17 00:00:00 2001 From: Marti Raudsepp Date: Tue, 26 Sep 2017 01:32:08 +0300 Subject: [PATCH] Add option to disable owner email address in CSR subject (#939) --- docs/administration.rst | 6 ++++++ lemur/certificates/service.py | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index f7419bb1..84aab664 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -83,6 +83,12 @@ Basic Configuration Take care to write patterns in such way to not allow the `*` wildcard character inadvertently. To match a `.` character, it must be escaped (as `\.`). +.. data:: LEMUR_OWNER_EMAIL_IN_SUBJECT + :noindex: + + By default, Lemur will add the certificate owner's email address to certificate subject (for CAs that allow it). + Set this to `False` to disable this. + .. data:: LEMUR_TOKEN_SECRET :noindex: diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 4ad7c219..915589d1 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -344,8 +344,9 @@ def create_csr(**csr_config): private_key = generate_private_key(csr_config.get('key_type')) builder = x509.CertificateSigningRequestBuilder() - name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name']), - x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner'])] + name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name'])] + if current_app.config.get('LEMUR_OWNER_EMAIL_IN_SUBJECT', True): + name_list.append(x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner'])) if 'organization' in csr_config and csr_config['organization'].strip(): name_list.append(x509.NameAttribute(x509.OID_ORGANIZATION_NAME, csr_config['organization'])) if 'organizational_unit' in csr_config and csr_config['organizational_unit'].strip():