#5206 [RFE] cert-request: compare issued certificate to CSR
Opened 3 years ago by ftweedal. Modified 2 years ago

If #5205 is implemented we will now accept CSRs with all
kinds of extensions and extension values (SAN will still
be comprehensively verified). However, it is always up to
the CA to issue according to the profile, regardless of
request extensions or other info in CSR.

This could lead to confusion if users have included particular
extension values in CSR, but issued a certificate without
those extensions or values.

Discussion on the proposal to remove the request extension restrictions

I'd be ok with making it non-fatal and stating those things that weren't

Note that this becomes more difficult with certmonger since it is more
opaque in that there is no place to report back warnings/additional
information back to users.

I'm more thinking to add something like a command or a post-issuance
hook that would use original cert request and would verify it against
issued cert and tell about the differences.

Accordingly, add a feature to cert-request that prints a summary of
significant differences from the CSR to the issued cert.

Metadata Update from @ftweedal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Login to comment on this ticket.