URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

frasertweedale commented:
Was there agreement that this should be implemented?  (I am personally
against it, because the next release should update the default profile to use
the new CommonNameToSanExtDefault profile component).

If we do implement this, IMO it should be a per-profile configuration, because 
there may
be legitimate use cases where SAN is not needed.

If we do pursue the current approach, we should further check not only that SAN
is present, but that it contains a DNSName.  Put another way, with the current 
SAN can be present, but it might contain only KRB5PrincipalName and no DNSName,
and therefore the warning will not show, but it probably should have warned.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to