On 29.2.2016 07:59, Fraser Tweedale wrote:
Hi all (especially those interested in certificates),

Please provide early review of my design for RFC 2818 compliance
which will address the following tickets:

- #4970 Server certificate profile should always include a Subject Alternate 
name for the host
- #5706 [RFE] Support SAN-only certificates


The design is a WIP and there is no code for it yet.  Looking for
feedback and (hopefully) validation of the approach before
committing cycles to implementing new profile components in Dogtag.

1) Do wildcard certificates need special handling? There is no mention of them in the design doc.

2) Should we accept invalid CSR where CN length is greater than 64? I wouldn't be surprised if these existed in the wild.

3) Sometimes it is not clear which parts belong to Dogtag and which to IPA itself. For example the upgrade section - I assume Dogtag should update registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated anywhere.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to