Because clients (esp. Chrome) are beginning to ignore CN, it is imperative that host/service certs issued by FreeIPA put DNS naming information into the Subject Alt Name extension.
Until https://pagure.io/freeipa/issue/5323 is implement we don't have a proper profile update machinery that is aware of what versions of Dogtag are in the topology, but we can still improve the situation for new installations - which will certainly use Dogtag 10.4 - by adding the CommonNameToSANDefault profile component to the default certificate profile in FreeIPA.
This patch is a small part of https://pagure.io/freeipa/issue/4970 but I created this separate ticket so this particular aspect can be triaged and merged independently.
master PR: https://github.com/freeipa/freeipa/pull/859
4.5 PR: https://github.com/freeipa/freeipa/pull/863
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.3
master:
ipa-4-5:
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1475238
Issue linked to Bugzilla: Bug 1475238
Login to comment on this ticket.