[Freeipa-users] How to remove bad cert renewal from certmonger?
Alexander Bokovoy
abokovoy at redhat.com
Mon Apr 25 15:05:04 UTC 2016
On Mon, 25 Apr 2016, Rob Crittenden wrote:
>Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
>>On 23.4.2016 1:23, EXT Rob Crittenden wrote:
>>>Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
>>........
>>>>Repetitio est mater studiorum:
>>>>
>>>>How I can clean this defective state of certmonger?
>>>
>>># ipa-getcert stop-tracking -i 20160212110456
>>>
>>
>>Ah! That was obvious! Thanks a lot Rob.
>>
>>>>
>>>>Second question if/when the above urgent problem is solved:
>>>>
>>>>Is there any way to get IP address to SAN field for the IPA
>>>>Server-Certs?
>>>
>>>Not without changing code. IP address SAN are explicitly forbidden:
>>>Subject alt name type IP Address is forbidden
>>>
>>>rob
>>
>>Is there any true reason why IP Address is forbidden by certmonger /
>>freeipa? Or is it just "not implemented" kind of restriction?
>>
>
>It is denied by IPA, not certmonger.
>
>IP addresses are frowned upon in certs in general and they are denied
>by IPA because the access control would be really difficult. Today a
>host must be granted access to issue certs with additional names in
>it.
>
>You can open a RFE for this on the IPA trac if you really need it.
>
>I'm not deeply familiar with the new profile support so perhaps it is
>possible to do this using the latest version of IPA, I'm not sure.
Correct and no, it is not right now.
Certificate profile defines what CA considers possible to grant when
issuing a cert. CA doesn't have contextual logic -- that would be
provided by an agent approving the cert. IPA framework is sitting in
front of CA to put the context in place and could be considered such an
agent, so we have logic to cross-check the request for fields that would
be conflicting with IPA access controls.
As it happens now, IPA framework disallows IP addresses. Adding support
for that would need to get proper logic in place to decide which
address spaces to allow being managing by a requesting party -- a host
in your case as certmonger asks for the cert on behalf of the host. We
don't have any system in place for that.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list