cert-request ensures that any dNSName values in a CSR subjectAltName requestExtension have a corresponding service/host principal in FreeIPA and that their entries are writable by the bind principal.
It currently DOES NOT enforce CA ACLs for these alternative principals, i.e. it does not check that there is a caacl rule allowing issuance of certificates to each alt-principal (using the chosen profile).
pspacek: From my point of view, subjectAltName allows the entity possessing the private key for the the certificate to impersonate anything mentioned in SubjectAltName and CN ...
Therefore, enforce the caacl for all principals indicated in the subjectAltName request extension.
attachment freeipa-ftweedal-0027-cert-request-enforce-caacl-for-principals-in-SAN.patch
master:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.