Hi,
Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a):
On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
#2915 ipa-getcert does not allow setting specific EKU on
certificates
Involves certmonger so I will need to do a bit more
investigation.
If non-trivial to accomplish this with the default profile, now
that we have support for multiple profiles it could be done with
a separate profile, as long as certmonger passes the profile
propertly with `-T' argument. I will follow up on this tomorrow
and let you know what I find out.
Ok. I was not involved when the ticket was filed, but it does not seem to me as
something that should get much priority and your time at this stage.
I haven't looked at this yet.
FYI getcert supports setting EKU in the CSR using the -U option for a
long time. It also correctly passes the profile to IPA since 0.78.
#4970 Server certificate profile should always include a Subject
Alternate name for the host
If a subjectAltName request extension is in CSR, it is checked
by `cert-request', and copied onto the final certificate by
Dogtag. In the default profile there is currently no other way
to specify the SAN.
A possible approach to resolve this with the default profile is
to update it to include a separate, optional subjectAltName
request input, which could be filled in if explicit SAN is not
provided in CSR. There are related lines of investigation.
Will provide update tomorrow.
Ok.
I investigated this. My comments are on the ticket:
https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
the way our current SAN support is implemented makes this a
non-trivial ticket.
On a related note, I think we should also always include kerberos
principal name SAN.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code