[Freeipa-devel] my remaining 4.2 tickets

Martin Kosek mkosek at redhat.com
Fri Jul 3 06:23:45 UTC 2015 

On 07/02/2015 05:58 PM, Jan Cholasta wrote:
> Hi,
>
> Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a):
>> On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote:
>>> On 06/30/2015 03:03 PM, Fraser Tweedale wrote:
>>>> #2915 ipa-getcert does not allow setting specific EKU on
>>>> certificates
>>>>
>>>>      Involves certmonger so I will need to do a bit more
>>>>      investigation.
>>>>
>>>>      If non-trivial to accomplish this with the default profile, now
>>>>      that we have support for multiple profiles it could be done with
>>>>      a separate profile, as long as certmonger passes the profile
>>>>      propertly with `-T' argument.  I will follow up on this tomorrow
>>>>      and let you know what I find out.
>>>
>>> Ok. I was not involved when the ticket was filed, but it does not seem to me as
>>> something that should get much priority and your time at this stage.
>>>
>> I haven't looked at this yet.
>
> FYI getcert supports setting EKU in the CSR using the -U option for a long
> time. It also correctly passes the profile to IPA since 0.78.
>
>>
>>>> #4970   Server certificate profile should always include a Subject
>>>> Alternate name for the host
>>>>
>>>>      If a subjectAltName request extension is in CSR, it is checked
>>>>      by `cert-request', and copied onto the final certificate by
>>>>      Dogtag.  In the default profile there is currently no other way
>>>>      to specify the SAN.
>>>>
>>>>      A possible approach to resolve this with the default profile is
>>>>      to update it to include a separate, optional subjectAltName
>>>>      request input, which could be filled in if explicit SAN is not
>>>>      provided in CSR.  There are related lines of investigation.
>>>>      Will provide update tomorrow.
>>>
>>> Ok.
>>>
>> I investigated this.  My comments are on the ticket:
>> https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief:
>> the way our current SAN support is implemented makes this a
>> non-trivial ticket.
>
> On a related note, I think we should also always include kerberos principal
> name SAN.

That would be nice, how difficult is to enable this with certificates FreeIPA 
issues? It would also let us make easier principal-based queries for Dogtag 
certificates. Right?

Martin

More information about the Freeipa-devel mailing list