Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN
by Fraser Tweedale
Discussion for devs: once this is merged should I updated all the
included service-oriented profiles (e.g. caCAcert; not user or CA
cert profiles) to add this profile component?
IMO we should do it, but we should not automatically update existing
installations. Instead, we (I) can produce a KBase article about
using the new component.
Let me know what you think.
Cheers,
Fraser
On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote:
> On 02/01/2017 12:25 AM, Fraser Tweedale wrote:
> > Hi all,
> >
> > The attached patches implement the long-desired feature to copy CN
> > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).
> >
> > I've also pushed the branch to my GitHub repo; feel free to review
> > the patches there:
> > https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san
> >
> > Thanks,
> > Fraser
> >
> >
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
>
> Fraser,
>
> In order to review this patch, I am going to apply it and make a scratch
> build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for
> us.
>
> If they give us their approval, you can consider yourself granted an ACK on
> this patch and check it into master so that I can cherry-pick it into the
> 10.3 branches.
>
> -- Matt
>
> P. S. - FYI, the following conversation took place on #cs today:
>
> <mharmsen> dminnich,walrus: ftweedal has released a patch for
> https://fedorahosted.org/pki/ticket/1710 - Add profile component
> that copies CN to SAN -- if I applied that patch to a 10.3.3
> pki-core for RHEL 7.3, could you guys test it out, or in order to
> test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL
> 7.2 like last time?
> <walrus> mharmsen: having a scratch build of 7.2 would be quickest
> <walrus> we are just now planning the 7.3 upgrade, which will take
> some time to get into dev
> <mharmsen> walrus: okay, I can try to see if I can do that, but
> remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1
> <walrus> yeah we should be on 7.3 in a month or so... a lot of
> things to test on a lot of servers :)
> <walrus> csnell|wfh: ^^^
> <mharmsen> walrus: completely understood! LOL
> <dminnich> mharmsen: that will be a very welcome patch
> <dminnich> mharmsen: do you happen to know if ACLs work against SANs?
> <mharmsen> dminnich: not off the top of my head
> <mharmsen> edewata, cfu, jmagne: ^^^?
> <dminnich> that is something on our to investigate list as well
> <mharmsen> dminnich: I am going to drop an email to ftweedal, and I
> will ask that question
> <edewata> mharmsen: no idea about SAN
> <jmagne> mharmsen, don't know
> <cfu> dminnich, mharmsen , what does that mean?
> <dminnich> cfu: right now we allow only people in LDAP group X to
> issue certs for domains that meet Y regex. but we don't check
> SANs. so somebody could CN=blah.devlab.com and get approved but add
> a SAN for www.redhat.com and we don't deny it
> <edewata> dminnich: where is X & Y defined?
> <dminnich>
> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/te...
> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/te...
> <dminnich> edewata: ^ some of that might be added by puppet later. but
> thats the gist
> <edewata> dminnich: ok, it's in profile, not ACL
> <dminnich> authz.acl=group and constraints
> <cfu> dminnich, dminnich ah, I see. so it's like a pattern
> constraint just like what we have for subject name now in the
> profile. Yeah, you can write a constraint plugin for that
> <cfu> dminnich, anyway, feel free to file a ticket for it.
> <dminnich> cfu: will do
>
7 years, 11 months