First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this.
The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet.
This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
This also fixes some minor typos I discovered. rob
freeipa-299-cert.patch
Description: application/mbox
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel