#6291 Incorrect CA ACL evaluation of SAN DNS names in certificate request
Closed: Fixed None Opened 3 years ago by mbabinsk.

ipa cert-request is supposed to check that the DNS names included in the SubjectAltName extension of CSR are authorized to be used with the certificate profile used with the CSR.

A regression introduced in c2af032 effectively bypassed this check, allowing the host principal to succesfully submit CSR with SAN DNS names of any host enrolled in FreeIPA domain.

Fixed in master:
- 25ed36f Fix CA ACL Check on SubjectAltNames

Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.1

2 years ago

Login to comment on this ticket.