RFC 2818 requires SAN dnsName for the subject (CN is deprecated). See #4970 for discussion.
Tracker of PKI ticket: https://fedorahosted.org/pki/ticket/1710
Once the PKI feature is implemented we need to update the default profile to use the new profile component.
Increasing priority of the ticket, as it has potential to make FreeIPA issued certs ineffective, when the deprecation warnings like this:
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264: SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
become in real errors.
jcholast had a good point about this RFE:
I see a problem with this approach: CN is limited to 64 octets, if the host name is longer, copying CN to SAN won't help us at all and can even be just plain wrong if it has truncated host name. This can happen in cloud environments with automatically generated host names, like in this IPA ticket: https://fedorahosted.org/freeipa/ticket/4415 I think a preferable solution would be to add a way to specify the SAN out of band, to override what's in the CSR.
Closing this as duplicate of #4970 (Server certificate profile should always include a Subject Alternate name for the host). Milestone and priority of #4970 updated to match this ticket.
See also:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.