cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names.
I think that this is quite important feature because this information helps to define scope when the certificate is usable.
Assigning to Fraser, when backend part is done, please reassing to pvomacka for Web UI
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356104
master:
There is a regression in 48aaf2b : cert-show doesn't display all values as before. It does it only with --all option.
cert-show
--all
caused by one occurrence of:
- self.obj._parse(result) + self.obj._parse(result, all)
Is there a fix for the regression (comment 6)?
Discussion of behaviour.
At master:
[f24b-2:~/dev/freeipa] [ master● ] ftweedal% ipa cert-show 16 Issuing CA: ipa Certificate: MIIEsTCCA5mgAwIBAgIBED... Subject: CN=f24b-2.ipa.local,O=IPA.LOCAL 201610191304 Subject DNS name: f24b-2.ipa.local Subject UPN: HTTP/f24b-2.ipa.local@IPA.LOCAL Subject Kerberos principal name: HTTP/f24b-2.ipa.local@IPA.LOCAL Issuer: CN=Certificate Authority,O=IPA.LOCAL 201610191304 Serial number: 16 Serial number (hex): 0x10 Revoked: False Owner service: HTTP/f24b-2.ipa.local@IPA.LOCAL
Additional values that appear when --all is given are:
[f24b-2:~/dev/freeipa] [ master● ] ftweedal% diff -u0 <(ipa cert-show 16) <(ipa cert-show 16 --all) --- /proc/self/fd/11 2016-10-21 13:19:37.037257563 +1000 +++ /proc/self/fd/12 2016-10-21 13:19:37.037257563 +1000 @@ -6,0 +7 @@ + Subject Other Name: 1.3.6.1.4.1.311.20.2.3:DB9IVFRQL2YyNGItMi5pcGEubG9jYWxASVBBLkxPQ0FM, 1.3.6.1.5.2.2:MDKgCxsJSVBBLkxPQ0FMoSMwIaADAgEBoRowGBsESFRUUBsQZjI0Yi0yLmlwYS5sb2NhbA== @@ -7,0 +9,4 @@ + Not Before: Fri Oct 21 03:01:47 2016 UTC + Not After: Mon Oct 22 03:01:47 2018 UTC + Fingerprint (MD5): 13:f6:e2:81:cb:0e:c5:66:81:cc:08:61:10:5f:1c:f1 + Fingerprint (SHA1): 44:88:ee:c6:e5:29:ec:77:d6:4e:5b:3c:66:bc:c6:72:16:40:8d:e6
Indeed, the expiry and fingerprints used to appear in cert-show (without --all), and now they do not.
For fingerprints, I don't think it is a problem (especially since we currently use only legacy digests).
For validity, I agree that it should be in default output. PR coming soon.
IMO this is a separate issue/regression introduced at c718ef0 (#6098).
I opened a new ticket for it: https://fedorahosted.org/freeipa/ticket/6419 and will move this one back to fixed.
fixed
Metadata Update from @pspacek: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.