On Tue, 2009-11-24 at 16:17 -0500, Rob Crittenden wrote: > The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes > so we can't get the subject alt names (or other interesting bits). This > pyasn1-based parser adds that support. > > I'm also switching to the pyasn1 X509v3 support because older releases > of pyOpenSSL lacked the get_components() method on subjects making it > difficult to get a usable subject. > > This PKCS#10 parser cannot handle all possible attribute types. It > should be robust enough to not blow up if it gets something it knows > nothing about. > > If a subjectaltname extension is present in a CSR we: > > - require that the host(s) exist in IPA > - If the requestor is a machine then the alt names must be present in > the services managedBy attribute. This is so we can control what > hosts(s) a machine can request a cert for. > > I'm working on a way to be able to set the service principal within the > reuqest. Nalin's certmonger program will set it as an otherName in the > GeneralNames attribute. We should be able to make principal an optional > argument to cert-request and use the value from the CSR (and blow up if > we get it neither way). > > rob
ack. pushed to master. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
