On Mon, 25 Apr 2016, Rob Crittenden wrote:
Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
On 23.4.2016 1:23, EXT Rob Crittenden wrote:
Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
Repetitio est mater studiorum:

How I can clean this defective state of certmonger?

# ipa-getcert stop-tracking -i 20160212110456

Ah! That was obvious! Thanks a lot Rob.

Second question if/when the above urgent problem is solved:

Is there any way to get IP address to SAN field for the IPA

Not without changing code. IP address SAN are explicitly forbidden:
Subject alt name type IP Address is forbidden


Is there any true reason why IP Address is forbidden by certmonger /
freeipa? Or is it just "not implemented" kind of restriction?

It is denied by IPA, not certmonger.

IP addresses are frowned upon in certs in general and they are denied by IPA because the access control would be really difficult. Today a host must be granted access to issue certs with additional names in it.

You can open a RFE for this on the IPA trac if you really need it.

I'm not deeply familiar with the new profile support so perhaps it is possible to do this using the latest version of IPA, I'm not sure.
Correct and no, it is not right now.
Certificate profile defines what CA considers possible to grant when
issuing a cert. CA doesn't have contextual logic -- that would be
provided by an agent approving the cert. IPA framework is sitting in
front of CA to put the context in place and could be considered such an
agent, so we have logic to cross-check the request for fields that would
be conflicting with IPA access controls.

As it happens now, IPA framework disallows IP addresses. Adding support
for that would need to get proper logic in place to decide which
address spaces to allow being managing by a requesting party -- a host
in your case as certmonger asks for the cert on behalf of the host. We
don't have any system in place for that.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to