#7451 Allow issuing certificates with IP addresses in subjectAltName
Closed: fixed 7 months ago by ftweedal. Opened 2 years ago by ftweedal.

Request for enhancement

Allow issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true.

  • One of the DNS names in the SAN resolves to the IP address
    (possibly through a CNAME).
  • All of the DNS entries in the resolution chain are managed by
    this IPA instance.
  • The IP address has a (correct) reverse DNS entry that is managed
    by this IPA instance

The approach was discusesd and agreed on freeipa-devel mailing list:
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/5MFHNX4K35AKBSV2KUGZKON5SQ6GWEMI/


Metadata Update from @ftweedal:
- Issue assigned to ipilcher

2 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1586268

a year ago

Metadata Update from @abiagion:
- Issue set to the milestone: FreeIPA 4.8

a year ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1843

8 months ago

Moving the milestone to 4.6.5 so that the feature gets included in ipa-4-6 branch.

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.8)

7 months ago

master:

  • dccb2e0 Allow issuing certificates with IP addresses in subjectAltName
  • 8ec4868 cert-request: restrict IPAddress SAN to host/service principals
  • eb70e64 cert-request: collect only qualified DNS names for IPAddress validation
  • 9c750f0 cert-request: generalise _san_dnsname_ips for arbitrary cname depth
  • e37c025 cert-request: report all unmatched SAN IP addresses
  • 474a2e6 Add tests for cert-request IP address SAN support
  • a65c12d cert-request: more specific errors in IP address validation

master:

  • 8327e11 cert-request: handle missing zone

ipa-4-7:

  • 142b0dd Allow issuing certificates with IP addresses in subjectAltName
  • f34f099 cert-request: restrict IPAddress SAN to host/service principals
  • 7107eb1 cert-request: collect only qualified DNS names for IPAddress validation
  • 8dc25eb cert-request: generalise _san_dnsname_ips for arbitrary cname depth
  • ba93f55 cert-request: report all unmatched SAN IP addresses
  • b5324b5 Add tests for cert-request IP address SAN support
  • d0b915c cert-request: more specific errors in IP address validation
  • d07ca48 (HEAD) cert-request: handle missing zone

ipa-4-6:

  • 5aa8b7a Allow issuing certificates with IP addresses in subjectAltName
  • dd93dd1 cert-request: restrict IPAddress SAN to host/service principals
  • 42c69a0 cert-request: collect only qualified DNS names for IPAddress validation
  • ed3ef20 cert-request: generalise _san_dnsname_ips for arbitrary cname depth
  • 6e5c2d9 cert-request: report all unmatched SAN IP addresses
  • 0295908 Add tests for cert-request IP address SAN support
  • 1a78844 cert-request: more specific errors in IP address validation
  • 94ecaaa cert-request: handle missing zone
  • cbb9729 cert-request: fix py2 unicode/str issues
  • 0170fd8 (HEAD) pylintrc: ignore R1720 no-else-raise errors

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Login to comment on this ticket.

Metadata