[Freeipa-devel] my remaining 4.2 tickets
Fraser Tweedale
ftweedal at redhat.com
Tue Jun 30 13:03:53 UTC 2015
Hi Martin,
#4559 [RFE] Support lightweight sub-CAs
Remaining work is not huge but may be more than can be done this
week even with Christian's help; the largest remaning concern
being Custodia.
As per discussion in team meeting, I'm going to liaise with Simo
and determine a plan for the key replication.
#2915 ipa-getcert does not allow setting specific EKU on
certificates
Involves certmonger so I will need to do a bit more
investigation.
If non-trivial to accomplish this with the default profile, now
that we have support for multiple profiles it could be done with
a separate profile, as long as certmonger passes the profile
propertly with `-T' argument. I will follow up on this tomorrow
and let you know what I find out.
#4970 Server certificate profile should always include a Subject
Alternate name for the host
If a subjectAltName request extension is in CSR, it is checked
by `cert-request', and copied onto the final certificate by
Dogtag. In the default profile there is currently no other way
to specify the SAN.
A possible approach to resolve this with the default profile is
to update it to include a separate, optional subjectAltName
request input, which could be filled in if explicit SAN is not
provided in CSR. There are related lines of investigation.
Will provide update tomorrow.
#4752 Provide an IEC 62351-8 / DNP3 ID certificate profile
We can provide a profile that supports DNP3 extension now if it
is included in a CSR extension request.
The patches for IEC 62351-8 extension is in review. Once that is in
Dogtag we will be able to provide a profile that supports it
with an extensionRequest in CSR.
#3473 Switch to using RESTful interface in dogtag CA interface
Postpone; there is not an urgent need.
More information about the Freeipa-devel
mailing list