On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: > On 06/30/2015 03:03 PM, Fraser Tweedale wrote: > > Hi Martin, > > > > #4559 [RFE] Support lightweight sub-CAs > > > > Remaining work is not huge but may be more than can be done this > > week even with Christian's help; the largest remaning concern > > being Custodia. > > > > As per discussion in team meeting, I'm going to liaise with Simo > > and determine a plan for the key replication. > > > > > > #2915 ipa-getcert does not allow setting specific EKU on > > certificates > > > > Involves certmonger so I will need to do a bit more > > investigation. > > > > If non-trivial to accomplish this with the default profile, now > > that we have support for multiple profiles it could be done with > > a separate profile, as long as certmonger passes the profile > > propertly with `-T' argument. I will follow up on this tomorrow > > and let you know what I find out. > > Ok. I was not involved when the ticket was filed, but it does not seem to me > as > something that should get much priority and your time at this stage. > I haven't looked at this yet.
> > #4970 Server certificate profile should always include a Subject > > Alternate name for the host > > > > If a subjectAltName request extension is in CSR, it is checked > > by `cert-request', and copied onto the final certificate by > > Dogtag. In the default profile there is currently no other way > > to specify the SAN. > > > > A possible approach to resolve this with the default profile is > > to update it to include a separate, optional subjectAltName > > request input, which could be filled in if explicit SAN is not > > provided in CSR. There are related lines of investigation. > > Will provide update tomorrow. > > Ok. > I investigated this. My comments are on the ticket: https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief: the way our current SAN support is implemented makes this a non-trivial ticket. Thanks, Fraser > > #4752 Provide an IEC 62351-8 / DNP3 ID certificate profile > > > > We can provide a profile that supports DNP3 extension now if it > > is included in a CSR extension request. > > > > The patches for IEC 62351-8 extension is in review. Once that is in > > Dogtag we will be able to provide a profile that supports it > > with an extensionRequest in CSR. > > Ok (can be FreeIP 4.2.x IMO). > > > #3473 Switch to using RESTful interface in dogtag CA interface > > > > Postpone; there is not an urgent need. > > Right, already did :-) > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code