On Tue, 2009-10-20 at 12:02 -0400, Rob Crittenden wrote:
> First pass at enforcing certificates be requested from same host
> 
> We want to only allow a machine to request a certificate for itself, not 
> for other machines. I've added a new taksgroup which will allow this.
> 
> The requesting IP is resolved and compared to the subject of the CSR to 
> determine if they are the same host. The same is done with the service 
> principal. Subject alt names are not queried yet.
> 
> This does not yet grant machines actual permission to request 
> certificates yet, that is still limited to the taskgroup request_certs.
> 
> This also fixes some minor typos I discovered.
> 
> rob

ack.  pushed to master.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to