On 2.7.2015 16:33, Fraser Tweedale wrote:
> Hi all,
> cert-request ensures that any dNSName values in a CSR subjectAltName
> requestExtension have a corresponding service/host principal in
> FreeIPA and that their entries are writable by the bind principal.
> It currently DOES NOT enforce CA ACLs for these alternative
> principals, i.e. it does not check that there is a caacl rule
> allowing issuance of certificates to each alt-principal (using the
> chosen profile.)
> Should it? I'm leaning towards "yes" but I want other perspectives.
I would say 'it has to!' :-)
>From my point of view, subjectAltName allows the entity possessing the private
key for the the certificate to impersonate anything mentioned in
SubjectAltName and CN ...
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code