[Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?]
Alexander Bokovoy
abokovoy at redhat.com
Tue Apr 26 15:04:20 UTC 2016
On Tue, 26 Apr 2016, Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
>On 25.4.2016 18:05, EXT Alexander Bokovoy wrote:
>>On Mon, 25 Apr 2016, Rob Crittenden wrote:
>-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
>........
>-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
>>>
>>>It is denied by IPA, not certmonger.
>>>
>>>IP addresses are frowned upon in certs in general and they are denied
>>>by IPA because the access control would be really difficult. Today a
>>>host must be granted access to issue certs with additional names in it.
>>>
>>>You can open a RFE for this on the IPA trac if you really need it.
>>>
>>>I'm not deeply familiar with the new profile support so perhaps it is
>>>possible to do this using the latest version of IPA, I'm not sure.
>>Correct and no, it is not right now.
>>Certificate profile defines what CA considers possible to grant when
>>issuing a cert. CA doesn't have contextual logic -- that would be
>>provided by an agent approving the cert. IPA framework is sitting in
>>front of CA to put the context in place and could be considered such an
>>agent, so we have logic to cross-check the request for fields that would
>>be conflicting with IPA access controls.
>>
>>As it happens now, IPA framework disallows IP addresses. Adding support
>>for that would need to get proper logic in place to decide which
>>address spaces to allow being managing by a requesting party -- a host
>>in your case as certmonger asks for the cert on behalf of the host. We
>>don't have any system in place for that.
>>
>>
>Because I am not an expert on IPA / cert-business I might
>over-simplify the case.
>
>To me letting to add to SAN an IP address of related FQDN would be
>quite simple case. When I am requesting cert for ipa2.public.domain
>and ipa2.management.domain and wanting to have also their IPs in SAN
>extension of the cert. The logic would be something like; IPA
>framework checks that related FQDNs and their DNS information is in
>place in IPA => allow
We don't have for a general case any means to rely on the IP address <->
host name mapping. For cases where there is DNS zone managed by IPA we
might add a logic, I agree, but not in general unless there is DNSSEC in
place -- because with DNSSEC we could at least be able to verify
signatures on the records to see if we could trust the data.
>There probably are much more complicated cases though. I understand
>that to create huge number of exceptions for all the possible cases
>would be mission impossible. Thus it would be nice if there would be
>possibility for ipa admin to create this kind of rules to allow local
>exceptions -- even frowned ones.
>
>In my original email I promised not to go details why I'd need the
>feature, but here we go...
>
>In our case the IP in SAN would be needed because our lab has its own
>DNS space that is not published to intranet side. However there are
>situations when user needs / wants to connect certain web services in
>lab also from intranet (to change his password on IPA for example). In
>such cases he has to give URL with IP address, but browsers tell that
>the certificate is invalid because the cert is only valid for FQDN.
>
>Naturally it is possible to create an exception on browser or add
>/etc/hots entry for FQDN on intranet computer. However to me IP in SAN
>would be much more elegant and clean solution.
I understand you pain. You can file a ticket with a feature request for
that use case.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list