Add option to disable owner email address in CSR subject (#939)

2017-09-26 01:32:08 +03:00 · 2017-09-26 01:32:08 +03:00 · ec5dec4a16
parent 4cfb621423
commit ec5dec4a16
2 changed files with 9 additions and 2 deletions
--- a/docs/administration.rst
+++ b/docs/administration.rst
@ -83,6 +83,12 @@ Basic Configuration
        Take care to write patterns in such way to not allow the `*` wildcard character inadvertently. To match a `.`
        character, it must be escaped (as `\.`).

+.. data:: LEMUR_OWNER_EMAIL_IN_SUBJECT
+    :noindex:
+
+        By default, Lemur will add the certificate owner's email address to certificate subject (for CAs that allow it).
+        Set this to `False` to disable this.
+
 .. data:: LEMUR_TOKEN_SECRET
    :noindex:

--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -344,8 +344,9 @@ def create_csr(**csr_config):
    private_key = generate_private_key(csr_config.get('key_type'))

    builder = x509.CertificateSigningRequestBuilder()
-    name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name']),
-                 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner'])]
+    name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name'])]
+    if current_app.config.get('LEMUR_OWNER_EMAIL_IN_SUBJECT', True):
+        name_list.append(x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner']))
    if 'organization' in csr_config and csr_config['organization'].strip():
        name_list.append(x509.NameAttribute(x509.OID_ORGANIZATION_NAME, csr_config['organization']))
    if 'organizational_unit' in csr_config and csr_config['organizational_unit'].strip():