Hi all, cert-request ensures that any dNSName values in a CSR subjectAltName requestExtension have a corresponding service/host principal in FreeIPA and that their entries are writable by the bind principal.
It currently DOES NOT enforce CA ACLs for these alternative principals, i.e. it does not check that there is a caacl rule allowing issuance of certificates to each alt-principal (using the chosen profile.) Should it? I'm leaning towards "yes" but I want other perspectives. To complete the picture, only the main principal has the issued certificate added to its userCertificate attribute; the alt-principals do not. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code