If #5205 is implemented we will now accept CSRs with all kinds of extensions and extension values (SAN will still be comprehensively verified). However, it is always up to the CA to issue according to the profile, regardless of request extensions or other info in CSR.
This could lead to confusion if users have included particular extension values in CSR, but issued a certificate without those extensions or values.
Discussion on the proposal to remove the request extension restrictions suggested:
I'd be ok with making it non-fatal and stating those things that weren't issued. Note that this becomes more difficult with certmonger since it is more opaque in that there is no place to report back warnings/additional information back to users. I'm more thinking to add something like a command or a post-issuance hook that would use original cert request and would verify it against issued cert and tell about the differences.
I'd be ok with making it non-fatal and stating those things that weren't issued. Note that this becomes more difficult with certmonger since it is more opaque in that there is no place to report back warnings/additional information back to users.
I'd be ok with making it non-fatal and stating those things that weren't issued.
Note that this becomes more difficult with certmonger since it is more opaque in that there is no place to report back warnings/additional information back to users.
I'm more thinking to add something like a command or a post-issuance hook that would use original cert request and would verify it against issued cert and tell about the differences.
Accordingly, add a feature to cert-request that prints a summary of significant differences from the CSR to the issued cert.
Metadata Update from @ftweedal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.