On 07/02/2015 05:58 PM, Jan Cholasta wrote:

Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a):
On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
#2915 ipa-getcert does not allow setting specific EKU on

     Involves certmonger so I will need to do a bit more

     If non-trivial to accomplish this with the default profile, now
     that we have support for multiple profiles it could be done with
     a separate profile, as long as certmonger passes the profile
     propertly with `-T' argument.  I will follow up on this tomorrow
     and let you know what I find out.

Ok. I was not involved when the ticket was filed, but it does not seem to me as
something that should get much priority and your time at this stage.

I haven't looked at this yet.

FYI getcert supports setting EKU in the CSR using the -U option for a long
time. It also correctly passes the profile to IPA since 0.78.

#4970   Server certificate profile should always include a Subject
Alternate name for the host

     If a subjectAltName request extension is in CSR, it is checked
     by `cert-request', and copied onto the final certificate by
     Dogtag.  In the default profile there is currently no other way
     to specify the SAN.

     A possible approach to resolve this with the default profile is
     to update it to include a separate, optional subjectAltName
     request input, which could be filled in if explicit SAN is not
     provided in CSR.  There are related lines of investigation.
     Will provide update tomorrow.


I investigated this.  My comments are on the ticket:
https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
the way our current SAN support is implemented makes this a
non-trivial ticket.

On a related note, I think we should also always include kerberos principal
name SAN.

That would be nice, how difficult is to enable this with certificates FreeIPA issues? It would also let us make easier principal-based queries for Dogtag certificates. Right?


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to