Christian Heimes wrote:
and now to the review of your design doc for RFC 2818-compliant subject
alternative names in certs,
1) RFC 2818 vs. RFC 6125
First I like to address a more general topic. Your design mentions RFC
6125 shortly. IMHO RFC 6125 supersedes 2818 for CN/SAN hostname
verification and we should follow the rules in RFC 6125, whenever 2818
lacks specification or there is a conflict between both RFCs. I can tell
you some horror stories from Python's ssl module related to both RFCs.
https://tools.ietf.org/html/rfc2818, HTTP Over TLS
https://tools.ietf.org/html/rfc6125, Representation and Verification of
Domain-Based Application Service Identity within Internet Public Key
Infrastructure Using X.509 (PKIX) Certificates in the Context of
Transport Layer Security (TLS)
As far as I'm familiar with RFC 6125, your proposal doesn't conflict
with the more modern RFC. It also makes sense to name the design after
the RFC, which has deprecated CN. I still like to check your design
against RFC 6125.
Fraser, do you agree?
2) SAN validation in ipa cert-request
In the paragraph "ipa cert-request changes" you write that the plugin
"[...] ensure that one element of the DNS names list matches the
principal name". Shouldn't the plugin validate *all* DNS names and
verify that the principal is allowed to request a cert for all fields in
Are there plans for any other SAN types? IP address or other oddball
types like MS UPN?
3) Should FreeIPA deprecate cert request without SAN or at least warn
IMHO it makes sense to deprecate CN only cert requests.
I'd mark it as deprecated over at least a major release in order to
handle older versions that may still make requests without a SAN.
4) update "Issue New Certificate for Host" dialog and documentation
The web UI has an update "Issue New Certificate for Host" dialog which
explains how to create a CSR with certutil. This dialog should be
updated to explain how to add a SAN DNS field. The option for SAN DNS is
'-8 fqdn' or '--extSAN dns:fqdn', e.g.
Create a CSR with subject CN=<hostname>,O=<realm>, for example:
# certutil -R -d <database path> -a -g <key size> -s
'CN=client1.ipa.example,O=IPA.EXAMPLE' -8 'client1.ipa.example'
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code