Verify that certificate is not a role certificate

1 files changed, 9 insertions, 1 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
index 6c6bc61f502..04ec0b61614 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
@@ -40,7 +40,15 @@ public class AthenzUtils {
     }
 
     public static AthenzIdentity createAthenzIdentity(X509Certificate certificate) {
-        return createAthenzIdentity(getCommonName(certificate));
+        String commonName = getCommonName(certificate);
+        if (isAthenzRoleIdentity(commonName)) {
+            throw new IllegalArgumentException("Athenz role certificate not supported");
+        }
+        return createAthenzIdentity(commonName);
+    }
+
+    private static boolean isAthenzRoleIdentity(String commonName) {
+        return commonName.contains(":role.");
     }
 
     private static String getCommonName(X509Certificate certificate) {