We should support adding constraints to the IPA CA certificate when the CA is created, so that admins can lower their liability about what certificates are accepted by clients.
Should the CA ever be compromised if it limits itself to only a handful of IPA controlled DNS names it can't be used to MITM users accessing external resources. In large organizations this might be necessary if IPA is allowed to control only certain internal subdomains.
See http://tools.ietf.org/html/rfc5280#section-4.2.1.10 and http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.