[Freeipa-devel] my remaining 4.2 tickets

Fraser Tweedale ftweedal at redhat.com
Thu Jul 2 15:18:58 UTC 2015 

On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
> On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
> > Hi Martin,
> > 
> > #4559  [RFE] Support lightweight sub-CAs
> > 
> >     Remaining work is not huge but may be more than can be done this
> >     week even with Christian's help; the largest remaning concern
> >     being Custodia.
> > 
> >     As per discussion in team meeting, I'm going to liaise with Simo
> >     and determine a plan for the key replication.
> > 
> > 
> > #2915 ipa-getcert does not allow setting specific EKU on
> > certificates
> > 
> >     Involves certmonger so I will need to do a bit more
> >     investigation.
> > 
> >     If non-trivial to accomplish this with the default profile, now
> >     that we have support for multiple profiles it could be done with
> >     a separate profile, as long as certmonger passes the profile
> >     propertly with `-T' argument.  I will follow up on this tomorrow
> >     and let you know what I find out.
> 
> Ok. I was not involved when the ticket was filed, but it does not seem to me as
> something that should get much priority and your time at this stage.
> 
I haven't looked at this yet.

> > #4970   Server certificate profile should always include a Subject
> > Alternate name for the host
> > 
> >     If a subjectAltName request extension is in CSR, it is checked
> >     by `cert-request', and copied onto the final certificate by
> >     Dogtag.  In the default profile there is currently no other way
> >     to specify the SAN.
> > 
> >     A possible approach to resolve this with the default profile is
> >     to update it to include a separate, optional subjectAltName
> >     request input, which could be filled in if explicit SAN is not
> >     provided in CSR.  There are related lines of investigation.
> >     Will provide update tomorrow.
> 
> Ok.
> 
I investigated this.  My comments are on the ticket:
https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
the way our current SAN support is implemented makes this a
non-trivial ticket.

Thanks,
Fraser

> > #4752   Provide an IEC 62351-8 / DNP3 ID certificate profile
> > 
> >     We can provide a profile that supports DNP3 extension now if it
> >     is included in a CSR extension request.
> > 
> >     The patches for IEC 62351-8 extension is in review.  Once that is in
> >     Dogtag we will be able to provide a profile that supports it
> >     with an extensionRequest in CSR.
> 
> Ok (can be FreeIP 4.2.x IMO).
> 
> > #3473  Switch to using RESTful interface in dogtag CA interface
> > 
> >     Postpone; there is not an urgent need.
> 
> Right, already did :-)
>

More information about the Freeipa-devel mailing list