a0996ca Change RA agent certificate profile to caSubsystemCert

1 file Authored by abbra 4 years ago, Committed by cheimes 4 years ago,
    Change RA agent certificate profile to caSubsystemCert
    
    Currently, RA agent certificate is issued using caServerCert profile.
    This has unfortunate side effect of asserting id-pk-serverAuth EKU which
    is not really needed for RA agent. If IPA CA certificate adds SAN DNS
    constraints into issued certificates, presence of id-pk-serverAuth EKU
    forces NSS (and other crypto libraries) to validate CN value with
    regards to SAN DNS constraints, due to historical use of CN bearing DNS
    name.
    
    Since RA agent certificate has 'CN=IPA RA', it is guaranteed to fail
    the check.
    
    Default IPA CA configuration does *not* add SAN DNS constraints into RA
    agent certificate. However, it is better to be prepared to such
    behavior.
    
    Related: https://bugzilla.redhat.com/1670239
    Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
    
        
file modified
+1 -1