[Freeipa-devel] my remaining 4.2 tickets

Jan Cholasta jcholast at redhat.com
Thu Jul 2 15:58:30 UTC 2015 

Hi,

Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a):
> On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
>> On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
>>> #2915 ipa-getcert does not allow setting specific EKU on
>>> certificates
>>>
>>>      Involves certmonger so I will need to do a bit more
>>>      investigation.
>>>
>>>      If non-trivial to accomplish this with the default profile, now
>>>      that we have support for multiple profiles it could be done with
>>>      a separate profile, as long as certmonger passes the profile
>>>      propertly with `-T' argument.  I will follow up on this tomorrow
>>>      and let you know what I find out.
>>
>> Ok. I was not involved when the ticket was filed, but it does not seem to me as
>> something that should get much priority and your time at this stage.
>>
> I haven't looked at this yet.

FYI getcert supports setting EKU in the CSR using the -U option for a 
long time. It also correctly passes the profile to IPA since 0.78.

>
>>> #4970   Server certificate profile should always include a Subject
>>> Alternate name for the host
>>>
>>>      If a subjectAltName request extension is in CSR, it is checked
>>>      by `cert-request', and copied onto the final certificate by
>>>      Dogtag.  In the default profile there is currently no other way
>>>      to specify the SAN.
>>>
>>>      A possible approach to resolve this with the default profile is
>>>      to update it to include a separate, optional subjectAltName
>>>      request input, which could be filled in if explicit SAN is not
>>>      provided in CSR.  There are related lines of investigation.
>>>      Will provide update tomorrow.
>>
>> Ok.
>>
> I investigated this.  My comments are on the ticket:
> https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
> the way our current SAN support is implemented makes this a
> non-trivial ticket.

On a related note, I think we should also always include kerberos 
principal name SAN.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list