[Pki-devel] copying EKU info from certificate request
Christina Fu
cfu at redhat.com
Thu Jun 19 16:42:06 UTC 2014
This is the same info I supplied for another IPA ticket,
https://fedorahosted.org/freeipa/ticket/3977 :
https://access.redhat.com/site/documentation//en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#User_Supplied_Extension_Default
I think that's what you are looking for. Give it a try and let me know.
Christina
On 06/11/2014 09:44 PM, Fraser Tweedale wrote:
> Hi all,
>
> Currently the ExtendedKeyUsageExtDefault unconditionally sets the
> EKU info for the certificate according to its configuration. If an
> EKU extension is present in a signing request, it gets clobbered.
>
> This is apparently a cause for confusion (see
> https://fedorahosted.org/freeipa/ticket/2915), but because the
> policy default is always paired with a policy constraint, it is
> possible to copy the EKU from the request and allow the constraint
> to reject unacceptable values.
>
> Implementing this behaviour seems reasonable to me (and it would
> resolve the above ticket) but I only have a newcomer's view of the
> profiles system. Perhaps "multitude of profiles" is preferred over
> "versatile profiles", or things must remain as they are for other
> reasons. I appreciate your input!
>
> (A side note: There are several profiles that use NoConstraint with
> ExtendedKeyUsageExtDefault; to preserve existing behaviour, these
> would have to be changed to use ExtendedKeyUsageExtConstraint,
> configured to match the default).
>
> Cheers,
>
> Fraser
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list