[Freeipa-devel] caacl enforcement for subjectAltName principals
Fraser Tweedale
ftweedal at redhat.com
Thu Jul 2 14:33:11 UTC 2015
Hi all,
cert-request ensures that any dNSName values in a CSR subjectAltName
requestExtension have a corresponding service/host principal in
FreeIPA and that their entries are writable by the bind principal.
It currently DOES NOT enforce CA ACLs for these alternative
principals, i.e. it does not check that there is a caacl rule
allowing issuance of certificates to each alt-principal (using the
chosen profile.)
Should it? I'm leaning towards "yes" but I want other perspectives.
To complete the picture, only the main principal has the issued
certificate added to its userCertificate attribute; the
alt-principals do not.
Thanks,
Fraser
More information about the Freeipa-devel
mailing list