I would like to better understand why IPA requires SAN (subject alternative
name) entries to have a backing host record. In order to sign a certificate
with a SAN that corresponded to a user friendly CNAME I had to add a host
record (ipa host) for that DNS name (use force option to create without an
A/AAAA record) as well as a service principle.

I'm sure I'm not alone when I say I don't like doing that because it means
that a "Host" in FreeIPA is not a computer, it's a host record that may or
may not be the only record that corresponds to a computer. It gets

I assume things are this way to ensure integrity at some level. But I can't
picture it. What is the potential danger of simply bypassing the
host/principal checks and just signing the certificate with whatever SAN
field we like?

If this actually is a necessity and is not likely to change, I think it
would be beneficial to administrators to be able to manage "Hosts" that
correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that
are actually enrolled computers. They could be managed in a similar fashion
to SUDO rules, like maybe:

Alias Hosts = a single name

Alias Host Groups = groups of names

Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups

I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity
(and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab
under policy.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to