On ma, 24 loka 2016, Fraser Tweedale wrote:
On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote:
I would like to better understand why IPA requires SAN (subject alternative
name) entries to have a backing host record. In order to sign a certificate
with a SAN that corresponded to a user friendly CNAME I had to add a host
record (ipa host) for that DNS name (use force option to create without an
A/AAAA record) as well as a service principle.
I'm sure I'm not alone when I say I don't like doing that because it means
that a "Host" in FreeIPA is not a computer, it's a host record that may or
may not be the only record that corresponds to a computer. It gets
I assume things are this way to ensure integrity at some level. But I can't
picture it. What is the potential danger of simply bypassing the
host/principal checks and just signing the certificate with whatever SAN
field we like?
In this specific case, it is because certmonger requests service
certificates with host credentials. Therefore it is not just human
administrators issuing certs. And we MUST validate SAN against
information in the directory (the only "source of truth" available
to the CA / IPA cert-request command). Otherwise you could put e.g.
`google.com' into SAN, and we would issue the cert, and that would
be Very Bad.
The problem is slightly exacerbated in that 99% of the time you
really want to issue service certs, but FreeIPA does not permit the
creation of a service entry without a corresponding host entry. So
you end up with spurious host entries that do not correspond to
actual hosts. I have previously asked about relaxing this
restriction. The idea was rejected (for reasons I don't remember).
The host entries are not "spurious" as you call them. They are objects
that participate in the access control. Services always belong to hosts
and are managed by them. Whether there are DNS entries corresponding to
the controlling objects is irrelevant, their primary use is to be used
as something that could be defined as owning the service. The fact that
host object is also a service in itself (for host/<hostname>) is an
obvious optimization for Kerberos infrastructure
As you know, on x.509 certificate level there are no differences between
services running on the same host, so technically all Kerberos services
could share the same certificate associated with the host that controls
them. You could just keep the certificate in the host entry and be done
with it. This, of course, has own issues -- mostly related to rotation
of the certificates and access to the private keys from multiple
applications -- but this has nothing to do with the way how IPA presents
hosts in the database.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project