[Freeipa-devel] my remaining 4.2 tickets
Martin Kosek
mkosek at redhat.com
Tue Jun 30 13:46:08 UTC 2015
On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
> Hi Martin,
>
> #4559 [RFE] Support lightweight sub-CAs
>
> Remaining work is not huge but may be more than can be done this
> week even with Christian's help; the largest remaning concern
> being Custodia.
>
> As per discussion in team meeting, I'm going to liaise with Simo
> and determine a plan for the key replication.
>
>
> #2915 ipa-getcert does not allow setting specific EKU on
> certificates
>
> Involves certmonger so I will need to do a bit more
> investigation.
>
> If non-trivial to accomplish this with the default profile, now
> that we have support for multiple profiles it could be done with
> a separate profile, as long as certmonger passes the profile
> propertly with `-T' argument. I will follow up on this tomorrow
> and let you know what I find out.
Ok. I was not involved when the ticket was filed, but it does not seem to me as
something that should get much priority and your time at this stage.
> #4970 Server certificate profile should always include a Subject
> Alternate name for the host
>
> If a subjectAltName request extension is in CSR, it is checked
> by `cert-request', and copied onto the final certificate by
> Dogtag. In the default profile there is currently no other way
> to specify the SAN.
>
> A possible approach to resolve this with the default profile is
> to update it to include a separate, optional subjectAltName
> request input, which could be filled in if explicit SAN is not
> provided in CSR. There are related lines of investigation.
> Will provide update tomorrow.
Ok.
> #4752 Provide an IEC 62351-8 / DNP3 ID certificate profile
>
> We can provide a profile that supports DNP3 extension now if it
> is included in a CSR extension request.
>
> The patches for IEC 62351-8 extension is in review. Once that is in
> Dogtag we will be able to provide a profile that supports it
> with an extensionRequest in CSR.
Ok (can be FreeIP 4.2.x IMO).
> #3473 Switch to using RESTful interface in dogtag CA interface
>
> Postpone; there is not an urgent need.
Right, already did :-)
More information about the Freeipa-devel
mailing list