#5706 [RFE] Support SAN-only certificates (empty subject dn)
Opened 4 years ago by ftweedal. Modified a month ago

jcholast had a good point about this RFE:

I see a problem with this approach: CN is limited to 64 octets, if the host name
is longer, copying CN to SAN won't help us at all and can even be just plain
wrong if it has truncated host name. This can happen in cloud environments with
automatically generated host names, like in this IPA ticket:
https://fedorahosted.org/freeipa/ticket/4415

Pursuant to RFC 2818 we not only need to support copying the CN to SAN dnsName
for host/service cert profiles (#4970), but we need to support requests without CN,
as long as there is at least one dnsName in the SAN request extension.

This may require changes to:

  • ipa cert-request command, to not require CN when SAN dnsNames are present
  • default profile, to not require CN when SAN dnsNames are present

4.4.0 was released, moving open tickets to 4.4.1

This ticket goes along with #4970 - bumping to 4.5 backlog

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5 backlog

3 years ago

Login to comment on this ticket.

Metadata