[Freeipa-devel] Re: Certificate enrollment, principal names
Simo Sorce
ssorce at redhat.com
Thu Nov 5 19:34:59 UTC 2009
On Thu, 2009-11-05 at 11:28 -0800, Andrew Wnuk wrote:
> On 11/05/09 11:22, Simo Sorce wrote:
> > On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
> >
> >> This is about right. What you're missing is storing the certificate
> >> in
> >> the service record. To do this we need to know what the target is.
> >>
> >> Nalin and I simply took two different approaches to sending this. We
> >> can
> >> easily support either method by making the principal an optional
> >> attribute and looking for it in the CSR if not provided (assuming I
> >> can
> >> get my head around PKCS#10 enough to grab attributes).
> >>
> > Given we should prevent "tricks" from people the server side should
> > really parse the CSR and validate it against the ACL IMO.
> > Otherwise do we have any other part that checks that host
> > foo.example.com is asking a certificate for itself and not for
> > bar.example.com ?
> >
> > Simo.
> >
> >
> CSR is parsed and validated by CA.
How does the CA know "Who" asked for a specific cert ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list