Hi all,

cert-request ensures that any dNSName values in a CSR subjectAltName
requestExtension have a corresponding service/host principal in
FreeIPA and that their entries are writable by the bind principal.

It currently DOES NOT enforce CA ACLs for these alternative
principals, i.e. it does not check that there is a caacl rule
allowing issuance of certificates to each alt-principal (using the
chosen profile.)

Should it?  I'm leaning towards "yes" but I want other perspectives.

To complete the picture, only the main principal has the issued
certificate added to its userCertificate attribute; the
alt-principals do not.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to