On 07/02/2015 05:58 PM, Jan Cholasta wrote:
Hi,
Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a):
On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
#2915 ipa-getcert does not allow setting specific EKU on
certificates
Involves certmonger so I will need to do a bit more
investigation.
If non-trivial to accomplish this with the default profile, now
that we have support for multiple profiles it could be done with
a separate profile, as long as certmonger passes the profile
propertly with `-T' argument. I will follow up on this tomorrow
and let you know what I find out.
Ok. I was not involved when the ticket was filed, but it does not seem to me as
something that should get much priority and your time at this stage.
I haven't looked at this yet.
FYI getcert supports setting EKU in the CSR using the -U option for a long
time. It also correctly passes the profile to IPA since 0.78.
#4970 Server certificate profile should always include a Subject
Alternate name for the host
If a subjectAltName request extension is in CSR, it is checked
by `cert-request', and copied onto the final certificate by
Dogtag. In the default profile there is currently no other way
to specify the SAN.
A possible approach to resolve this with the default profile is
to update it to include a separate, optional subjectAltName
request input, which could be filled in if explicit SAN is not
provided in CSR. There are related lines of investigation.
Will provide update tomorrow.
Ok.
I investigated this. My comments are on the ticket:
https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
the way our current SAN support is implemented makes this a
non-trivial ticket.
On a related note, I think we should also always include kerberos principal
name SAN.
That would be nice, how difficult is to enable this with certificates FreeIPA
issues? It would also let us make easier principal-based queries for Dogtag
certificates. Right?
Martin
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code