Hi,
On 29.2.2016 07:59, Fraser Tweedale wrote:
Hi all (especially those interested in certificates),
Please provide early review of my design for RFC 2818 compliance
which will address the following tickets:
- #4970 Server certificate profile should always include a Subject Alternate
name for the host
- #5706 [RFE] Support SAN-only certificates
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
The design is a WIP and there is no code for it yet. Looking for
feedback and (hopefully) validation of the approach before
committing cycles to implementing new profile components in Dogtag.
1) Do wildcard certificates need special handling? There is no mention
of them in the design doc.
2) Should we accept invalid CSR where CN length is greater than 64? I
wouldn't be surprised if these existed in the wild.
3) Sometimes it is not clear which parts belong to Dogtag and which to
IPA itself. For example the upgrade section - I assume Dogtag should
update registry.cfg and IPA caIPAserviceCert profile, but it is not
clearly stated anywhere.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
