Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>>> The attached patch fixes
>>> Note that the problem is addressed by adding the appropriate request
>>> extension to the CSR; the fix does not involve changing the default
>>> profile behaviour, which is complicated (see ticket for details).
>> Thanks for the patch! This is something we should really fix, I already get
>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/
>> SubjectAltNameWarning: Certificate for has no
>> `subjectAltName`, falling back to check for a `commonName` for now. This
>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>> for details.)
>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>> profile part? As it looks like the FreeIPA server will be fixed even in 
>> FreeIPA
>> 4.3.x and the other part later.
>> How difficult do you see the general FreeIPA Certificate Profile part of this
>> request? Is it a too big task to handle in 4.4 time frame?
> I will split the ticket and would suggest 4.4 Backlog - it might be
> doable but is a lower priority than e.g. Sub-CAs.

If you are going to defer the profile part then you should probably
update the client to also include a SAN if --request-cert is provided.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to