Use OIDC Provisioner for generating certificates with custom CommonName

[sbstn42]

Hi everybody,

I set up an OIDC Provisioner and want to allow every authenticated user to create certificates for a specific domain. The problem is, that StepCA completely ignores the subject (and also SANs) provided by "step ca certificate subdomain.exampledomain.org my.crt my.key".
The CommonName of the certificate I get contains the sub claim (means my email-address) from the oAuth Response and the SANs are set to my email-address and there is one URI-SAN set to the idp-URL followed by the sub claim (same as in the CN).
I also tried to set my email-address in the "admins"-key of the provisioner, but this also did not have any effect and I get the same certificate details since my provided subject is ignored.

Do you have any Idea what I can do here?

[sbstn42]

I tried something further and saw that I could use ".Insecure.CR*" in templates. I think that this will solve my problem, even if the values are not authenticated.

If there are better ways to achieve my goals I would be very happy to get some suggestions.

[tashian]

Just to clarify this.
When you create an OIDC provisioner, you're creating a trust relationship between step-ca and the authorization server.
So, certificates are created based on the contents of the OIDC token.
Parameters from the step client are not part of the trust relationship, by default, and this is why the .CR values are marked as insecure.