[freeipa PR#891][opened] Add SKI and AKI to CA certs in ca-less integration test
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/891
Author: frasertweedale
Title: #891: Add SKI and AKI to CA certs in ca-less integration test
Action: opened
PR body:
"""
The IPA installer now checks that CA certs include the Subject Key
Identifier extension (which is required by Dogtag and RFC 5280).
But this broke our integration tests, which were not adding the
extension.
Update the caless-create-pki script to add these extensions.
The Subject Key Identifier and Authority Key Identifier values are
randomly chosen for each CA, and propagated down to the 'gen_cert()'
subroutine so that profiles have access to them. Each profile can
choose how to use it. For now, only the 'ca' profile uses them, but
for maximum correctness the 'server' profile (i.e. for leaf
certificates) could be updated to add the CA's SKI to the AKI
extension. This is left for a later commit.
Fixes: https://pagure.io/freeipa/issue/7030
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/891/head:pr891
git checkout pr891
6 years, 10 months
[freeipa PR#863][opened] Add CommonNameToSANDefault to default cert profile
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/863
Author: frasertweedale
Title: #863: Add CommonNameToSANDefault to default cert profile
Action: opened
PR body:
"""
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Part of: https://pagure.io/freeipa/issue/4970
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/863/head:pr863
git checkout pr863
6 years, 10 months
[freeipa PR#859][opened] Add CommonNameToSANDefault to default cert profile
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/859
Author: frasertweedale
Title: #859: Add CommonNameToSANDefault to default cert profile
Action: opened
PR body:
"""
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subjet Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Part of: https://pagure.io/freeipa/issue/4970
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/859/head:pr859
git checkout pr859
6 years, 10 months
