[Freeipa-devel] caacl enforcement for subjectAltName principals
Petr Spacek
pspacek at redhat.com
Thu Jul 2 16:24:12 UTC 2015
On 2.7.2015 16:33, Fraser Tweedale wrote:
> Hi all,
>
> cert-request ensures that any dNSName values in a CSR subjectAltName
> requestExtension have a corresponding service/host principal in
> FreeIPA and that their entries are writable by the bind principal.
>
> It currently DOES NOT enforce CA ACLs for these alternative
> principals, i.e. it does not check that there is a caacl rule
> allowing issuance of certificates to each alt-principal (using the
> chosen profile.)
>
> Should it? I'm leaning towards "yes" but I want other perspectives.
I would say 'it has to!' :-)
>From my point of view, subjectAltName allows the entity possessing the private
key for the the certificate to impersonate anything mentioned in
SubjectAltName and CN ...
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list