Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Was there agreement that this should be implemented? (I am personally
against it, because the next release should update the default profile to use
the new CommonNameToSanExtDefault profile component).
If we do implement this, IMO it should be a per-profile configuration, because
be legitimate use cases where SAN is not needed.
If we do pursue the current approach, we should further check not only that SAN
is present, but that it contains a DNSName. Put another way, with the current
SAN can be present, but it might contain only KRB5PrincipalName and no DNSName,
and therefore the warning will not show, but it probably should have warned.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code