[Freeipa-devel] [PATCH] 299 request certs for other hosts
Rob Crittenden
rcritten at redhat.com
Tue Oct 20 16:02:44 UTC 2009
First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not
for other machines. I've added a new taksgroup which will allow this.
The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.
This does not yet grant machines actual permission to request
certificates yet, that is still limited to the taskgroup request_certs.
This also fixes some minor typos I discovered.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-299-cert.patch
Type: application/mbox
Size: 15851 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091020/73116d3a/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091020/73116d3a/attachment.bin>
More information about the Freeipa-devel
mailing list