Алексей Иванов wrote: > Greetings, > > To my knowledge it is considered a bad practice to use SAN names that > are not associated with the principal/name you are issuing certificates > for and my security team is actively pushing me to remove those fields. > We are using certificates mostly for the purpose of securing > communications between our internal web sites. So, basically, otherName > fields are not used in that regard. I was hoping there is a way to stop > certmonger from adding otherNames to the csr.
There is not a way using the certmonger ipa CA helper. rob > > > On Wed, Feb 8, 2023 at 9:47 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Alex Ivanov via FreeIPA-users wrote: > > Greetings, > > > > I'm trying to use certmonger to automate certificate signing with > FreeIPA. It is working fine but it adds additional values to SAN for > issued certificates > > > > Other Name: > > Principal Name=HTTP/<principal>@<Kerberos realm> > > Other Name: > > 1.3.6.1.5.2.2=<principal> > > > > If I choose to generate certificates using openssl and manually > sign them I have no such issue > > > > I've found old post about that > > https://lists.fedorahosted.org/archives/list/[email protected]/thread/2JOL7OAKZQXIZWIYBFNQJTXC4L2WPNAD/ > > > > Does this issue still persists or I've missed something? > > It is working as designed. > > What is the reason you don't need/want additional SAN associated with > the issued certificate? > > rob > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
