#6022 cert-show command does not display Subject Alternative Names
Closed: Fixed None Opened 3 years ago by pspacek.

cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names.

I think that this is quite important feature because this information helps to define scope when the certificate is usable.

Assigning to Fraser, when backend part is done, please reassing to pvomacka for Web UI


  • 0245d2a Move GeneralName parsing code to ipalib.x509
  • dae82b2 x509: fix SAN directoryName parsing
  • e3acc36 x509: use NSS enums and OIDs to identify SAN types
  • a381d88 x509: include otherName DER value in GeneralNameInfo
  • 48aaf2b cert-show: show subject alternative names

There is a regression in 48aaf2b : cert-show doesn't display all values as before. It does it only with --all option.

caused by one occurrence of:

-            self.obj._parse(result)
+            self.obj._parse(result, all)

Is there a fix for the regression (comment 6)?

Discussion of behaviour.

At master:

[f24b-2:~/dev/freeipa] [ master‚óŹ ] ftweedal% ipa cert-show 16
  Issuing CA: ipa
  Certificate: MIIEsTCCA5mgAwIBAgIBED...
  Subject: CN=f24b-2.ipa.local,O=IPA.LOCAL 201610191304
  Subject DNS name: f24b-2.ipa.local
  Subject UPN: HTTP/f24b-2.ipa.local@IPA.LOCAL
  Subject Kerberos principal name: HTTP/f24b-2.ipa.local@IPA.LOCAL
  Issuer: CN=Certificate Authority,O=IPA.LOCAL 201610191304
  Serial number: 16
  Serial number (hex): 0x10
  Revoked: False
  Owner service: HTTP/f24b-2.ipa.local@IPA.LOCAL

Additional values that appear when --all is given are:

[f24b-2:~/dev/freeipa] [ master‚óŹ ] ftweedal% diff -u0 <(ipa cert-show 16) <(ipa cert-show 16 --all)
--- /proc/self/fd/11    2016-10-21 13:19:37.037257563 +1000
+++ /proc/self/fd/12    2016-10-21 13:19:37.037257563 +1000
@@ -6,0 +7 @@
+  Subject Other Name:,
@@ -7,0 +9,4 @@
+  Not Before: Fri Oct 21 03:01:47 2016 UTC
+  Not After: Mon Oct 22 03:01:47 2018 UTC
+  Fingerprint (MD5): 13:f6:e2:81:cb:0e:c5:66:81:cc:08:61:10:5f:1c:f1
+  Fingerprint (SHA1): 44:88:ee:c6:e5:29:ec:77:d6:4e:5b:3c:66:bc:c6:72:16:40:8d:e6

Indeed, the expiry and fingerprints used to appear in cert-show (without
--all), and now they do not.

For fingerprints, I don't think it is a problem (especially since we
currently use only legacy digests).

For validity, I agree that it should be in default output. PR coming soon.

IMO this is a separate issue/regression introduced at
c718ef0 (#6098).

I opened a new ticket for it: https://fedorahosted.org/freeipa/ticket/6419
and will move this one back to fixed.

Metadata Update from @pspacek:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.3

2 years ago

Login to comment on this ticket.