Issue #3466: [RFE] Support adding constraints to the IPA CA certificate at install time - freeipa

freeipa

#3466 [RFE] Support adding constraints to the IPA CA certificate at install time

Opened 11 years ago by simo. Modified 7 years ago

We should support adding constraints to the IPA CA certificate when the CA is created, so that admins can lower their liability about what certificates are accepted by clients.

Should the CA ever be compromised if it limits itself to only a handful of IPA controlled DNS names it can't be used to MITM users accessing external resources. In large organizations this might be necessary if IPA is allowed to control only certain internal subdomains.

See http://tools.ietf.org/html/rfc5280#section-4.2.1.10
and http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B

Metadata Update from @simo:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

Future Releases

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#3466 [RFE] Support adding constraints to the IPA CA certificate at install time Opened 11 years ago by simo. Modified 7 years ago

Close issue as:

Metadata

#3466 [RFE] Support adding constraints to the IPA CA certificate at install time

Opened 11 years ago by simo. Modified 7 years ago