This is spin-off ticket of #4970. All modern browser is starting to require SAN in certs.
Therefore cert-request should warn if issuing cert without SAN so that the admin won't issue a cert for a service which would be then rejected.
Note: should only apply to cert requests where subject principal is a host or service principal.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @tkrizek: - Issue assigned to tkrizek (was: someone)
IMO instead of implementing this we should update the default profile to use the new component in Dogtag that automatically copies CN into SAN (if it looks like a DNS name). The Dogtag bits are implement and will be in next major release.
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @fbarreto: - Issue assigned to fbarreto (was: tkrizek)
PR: https://github.com/freeipa/freeipa/pull/773
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @pvoborni: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.