On Tue, 2009-11-24 at 16:17 -0500, Rob Crittenden wrote:
> The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes 
> so we can't get the subject alt names (or other interesting bits). This 
> pyasn1-based parser adds that support.
> I'm also switching to the pyasn1 X509v3 support because older releases 
> of pyOpenSSL lacked the get_components() method on subjects making it 
> difficult to get a usable subject.
> This PKCS#10 parser cannot handle all possible attribute types. It 
> should be robust enough to not blow up if it gets something it knows 
> nothing about.
> If a subjectaltname extension is present in a CSR we:
> - require that the host(s) exist in IPA
> - If the requestor is a machine then the alt names must be present in 
> the services managedBy attribute. This is so we can control what 
> hosts(s) a machine can request a cert for.
> I'm working on a way to be able to set the service principal within the 
> reuqest. Nalin's certmonger program will set it as an otherName in the 
> GeneralNames attribute. We should be able to make principal an optional 
> argument to cert-request and use the value from the CSR  (and blow up if 
> we get it neither way).
> rob

ack.  pushed to master.

Freeipa-devel mailing list

Reply via email to