Greetings, To my knowledge it is considered a bad practice to use SAN names that are not associated with the principal/name you are issuing certificates for and my security team is actively pushing me to remove those fields. We are using certificates mostly for the purpose of securing communications between our internal web sites. So, basically, otherName fields are not used in that regard. I was hoping there is a way to stop certmonger from adding otherNames to the csr.
Regards, Alex Ivanov. On Wed, Feb 8, 2023 at 9:47 PM Rob Crittenden <[email protected]> wrote: > Alex Ivanov via FreeIPA-users wrote: > > Greetings, > > > > I'm trying to use certmonger to automate certificate signing with > FreeIPA. It is working fine but it adds additional values to SAN for issued > certificates > > > > Other Name: > > Principal Name=HTTP/<principal>@<Kerberos realm> > > Other Name: > > 1.3.6.1.5.2.2=<principal> > > > > If I choose to generate certificates using openssl and manually sign > them I have no such issue > > > > I've found old post about that > https://lists.fedorahosted.org/archives/list/[email protected]/thread/2JOL7OAKZQXIZWIYBFNQJTXC4L2WPNAD/ > > > > Does this issue still persists or I've missed something? > > It is working as designed. > > What is the reason you don't need/want additional SAN associated with > the issued certificate? > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
