[Freeipa-devel] Re: Certificate enrollment, principal names
Rob Crittenden
rcritten at redhat.com
Fri Nov 6 14:08:50 UTC 2009
Simo Sorce wrote:
> On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
>> This is about right. What you're missing is storing the certificate
>> in
>> the service record. To do this we need to know what the target is.
>>
>> Nalin and I simply took two different approaches to sending this. We
>> can
>> easily support either method by making the principal an optional
>> attribute and looking for it in the CSR if not provided (assuming I
>> can
>> get my head around PKCS#10 enough to grab attributes).
>
> Given we should prevent "tricks" from people the server side should
> really parse the CSR and validate it against the ACL IMO.
> Otherwise do we have any other part that checks that host
> foo.example.com is asking a certificate for itself and not for
> bar.example.com ?
>
> Simo.
>
When binding using machine credentials, in order to request a
certificate for any host they need to be in the managedBy attribute of
the target service entry.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091106/8b1aea23/attachment.bin>
More information about the Freeipa-devel
mailing list