On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
> Hi Martin,
> #4559  [RFE] Support lightweight sub-CAs
>     Remaining work is not huge but may be more than can be done this
>     week even with Christian's help; the largest remaning concern
>     being Custodia.
>     As per discussion in team meeting, I'm going to liaise with Simo
>     and determine a plan for the key replication.
> #2915 ipa-getcert does not allow setting specific EKU on
> certificates
>     Involves certmonger so I will need to do a bit more
>     investigation.
>     If non-trivial to accomplish this with the default profile, now
>     that we have support for multiple profiles it could be done with
>     a separate profile, as long as certmonger passes the profile
>     propertly with `-T' argument.  I will follow up on this tomorrow
>     and let you know what I find out.

Ok. I was not involved when the ticket was filed, but it does not seem to me as
something that should get much priority and your time at this stage.

> #4970   Server certificate profile should always include a Subject
> Alternate name for the host
>     If a subjectAltName request extension is in CSR, it is checked
>     by `cert-request', and copied onto the final certificate by
>     Dogtag.  In the default profile there is currently no other way
>     to specify the SAN.
>     A possible approach to resolve this with the default profile is
>     to update it to include a separate, optional subjectAltName
>     request input, which could be filled in if explicit SAN is not
>     provided in CSR.  There are related lines of investigation.
>     Will provide update tomorrow.


> #4752   Provide an IEC 62351-8 / DNP3 ID certificate profile
>     We can provide a profile that supports DNP3 extension now if it
>     is included in a CSR extension request.
>     The patches for IEC 62351-8 extension is in review.  Once that is in
>     Dogtag we will be able to provide a profile that supports it
>     with an extensionRequest in CSR.

Ok (can be FreeIP 4.2.x IMO).

> #3473  Switch to using RESTful interface in dogtag CA interface
>     Postpone; there is not an urgent need.

Right, already did :-)

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to