[Freeipa-devel] my remaining 4.2 tickets

Martin Kosek mkosek at redhat.com
Thu Jul 2 15:23:54 UTC 2015


On 07/02/2015 05:18 PM, Fraser Tweedale wrote:
> On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
>> On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
...
>>> #4970   Server certificate profile should always include a Subject
>>> Alternate name for the host
>>>
>>>     If a subjectAltName request extension is in CSR, it is checked
>>>     by `cert-request', and copied onto the final certificate by
>>>     Dogtag.  In the default profile there is currently no other way
>>>     to specify the SAN.
>>>
>>>     A possible approach to resolve this with the default profile is
>>>     to update it to include a separate, optional subjectAltName
>>>     request input, which could be filled in if explicit SAN is not
>>>     provided in CSR.  There are related lines of investigation.
>>>     Will provide update tomorrow.
>>
>> Ok.
>>
> I investigated this.  My comments are on the ticket:
> https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
> the way our current SAN support is implemented makes this a
> non-trivial ticket.

Thanks. What we need to do now (in the couple days left before 4.2 GA is to
think if there is any problem that we would prevent us from adding this
functionality later. If there is no problem, we are mostly done as won't be
able to do the Dogtag changes before 4.2 GA I suppose.

If yes, that's another story and we would need to plan what can be done before GA.




More information about the Freeipa-devel mailing list