On 07/02/2015 05:18 PM, Fraser Tweedale wrote:
> On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
>> On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
>>> #4970 Server certificate profile should always include a Subject
>>> Alternate name for the host
>>> If a subjectAltName request extension is in CSR, it is checked
>>> by `cert-request', and copied onto the final certificate by
>>> Dogtag. In the default profile there is currently no other way
>>> to specify the SAN.
>>> A possible approach to resolve this with the default profile is
>>> to update it to include a separate, optional subjectAltName
>>> request input, which could be filled in if explicit SAN is not
>>> provided in CSR. There are related lines of investigation.
>>> Will provide update tomorrow.
> I investigated this. My comments are on the ticket:
> https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
> the way our current SAN support is implemented makes this a
> non-trivial ticket.
Thanks. What we need to do now (in the couple days left before 4.2 GA is to
think if there is any problem that we would prevent us from adding this
functionality later. If there is no problem, we are mostly done as won't be
able to do the Dogtag changes before 4.2 GA I suppose.
If yes, that's another story and we would need to plan what can be done before
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code