[Freeipa-users] How to remove bad cert renewal from certmonger?
Rob Crittenden
rcritten at redhat.com
Mon Apr 25 14:53:16 UTC 2016
Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
> On 23.4.2016 1:23, EXT Rob Crittenden wrote:
>> Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
> ........
>>> Repetitio est mater studiorum:
>>>
>>> How I can clean this defective state of certmonger?
>>
>> # ipa-getcert stop-tracking -i 20160212110456
>>
>
> Ah! That was obvious! Thanks a lot Rob.
>
>>>
>>> Second question if/when the above urgent problem is solved:
>>>
>>> Is there any way to get IP address to SAN field for the IPA
>>> Server-Certs?
>>
>> Not without changing code. IP address SAN are explicitly forbidden:
>> Subject alt name type IP Address is forbidden
>>
>> rob
>
> Is there any true reason why IP Address is forbidden by certmonger /
> freeipa? Or is it just "not implemented" kind of restriction?
>
It is denied by IPA, not certmonger.
IP addresses are frowned upon in certs in general and they are denied by
IPA because the access control would be really difficult. Today a host
must be granted access to issue certs with additional names in it.
You can open a RFE for this on the IPA trac if you really need it.
I'm not deeply familiar with the new profile support so perhaps it is
possible to do this using the latest version of IPA, I'm not sure.
rob
More information about the Freeipa-users
mailing list