On 2.7.2015 16:33, Fraser Tweedale wrote:
> Hi all,
> cert-request ensures that any dNSName values in a CSR subjectAltName
> requestExtension have a corresponding service/host principal in
> FreeIPA and that their entries are writable by the bind principal.
> It currently DOES NOT enforce CA ACLs for these alternative
> principals, i.e. it does not check that there is a caacl rule
> allowing issuance of certificates to each alt-principal (using the
> chosen profile.)
> Should it?  I'm leaning towards "yes" but I want other perspectives.

I would say 'it has to!' :-)

>From my point of view, subjectAltName allows the entity possessing the private
key for the the certificate to impersonate anything mentioned in
SubjectAltName and CN ...

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to