Thank you all -- this all worked and should keep us going until we have time to work around the various deprecations.
Cheers! -- Bret Wortman [email protected] On Tue, Jun 7, 2022, at 10:11 PM, Fraser Tweedale wrote: > On Tue, Jun 07, 2022 at 11:56:10AM -0400, Bret Wortman via FreeIPA-users > wrote: >> I did set up a profile using Fraser's directions, and I see something in >> there about: >> >> policyset.serverCertSet.12.constraint.class_id=noConstraintImpl >> policyset.serverCertSet.12.constraint.name=No Constraint >> policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl >> policyset.serverCertSet.12.default.name=Copy Common Name to Subject >> Alternative Name >> policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 >> >> But I'm not sure if that's something I have to trigger somehow, or if it >> just should happen. >> > Hi Bret and others, > > CommonNameToSANDefault copies the CSR's CN to SAN "as is". The CN > can't include wildcard (FreeIPA won't validate it) so this is not > the solution. > > Please see this follow-up blog post about how to achieve wildcard > DNS-IDs in SAN. > > > https://frasertweedale.github.io/blog-redhat/posts/2017-06-26-freeipa-wildcard-san.html > > It is evident that I need to put a notice in the older post pointing > to ^^^ this one. I will do that today. > > Note that this solution won't propagate additional SANs from the CSR > to the certificate. There's no way to do it with the Dogtag profile > components currently available. It's unlikely we'll implement a way > because wildcard DNS-IDs are deprecated and increasing automation of > certificate management (e.g. ACME) have reduced the overall need for > wildcard certificates. > > Thanks, > Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
