[Freeipa-devel] Design review request: RFC 2818 certificate compliance
Jan Cholasta
jcholast at redhat.com
Mon Mar 7 06:33:52 UTC 2016
Hi,
On 29.2.2016 07:59, Fraser Tweedale wrote:
> Hi all (especially those interested in certificates),
>
> Please provide early review of my design for RFC 2818 compliance
> which will address the following tickets:
>
> - #4970 Server certificate profile should always include a Subject Alternate name for the host
> - #5706 [RFE] Support SAN-only certificates
>
> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
>
> The design is a WIP and there is no code for it yet. Looking for
> feedback and (hopefully) validation of the approach before
> committing cycles to implementing new profile components in Dogtag.
1) Do wildcard certificates need special handling? There is no mention
of them in the design doc.
2) Should we accept invalid CSR where CN length is greater than 64? I
wouldn't be surprised if these existed in the wild.
3) Sometimes it is not clear which parts belong to Dogtag and which to
IPA itself. For example the upgrade section - I assume Dogtag should
update registry.cfg and IPA caIPAserviceCert profile, but it is not
clearly stated anywhere.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list