Hi Martin, #4559 [RFE] Support lightweight sub-CAs
Remaining work is not huge but may be more than can be done this week even with Christian's help; the largest remaning concern being Custodia. As per discussion in team meeting, I'm going to liaise with Simo and determine a plan for the key replication. #2915 ipa-getcert does not allow setting specific EKU on certificates Involves certmonger so I will need to do a bit more investigation. If non-trivial to accomplish this with the default profile, now that we have support for multiple profiles it could be done with a separate profile, as long as certmonger passes the profile propertly with `-T' argument. I will follow up on this tomorrow and let you know what I find out. #4970 Server certificate profile should always include a Subject Alternate name for the host If a subjectAltName request extension is in CSR, it is checked by `cert-request', and copied onto the final certificate by Dogtag. In the default profile there is currently no other way to specify the SAN. A possible approach to resolve this with the default profile is to update it to include a separate, optional subjectAltName request input, which could be filled in if explicit SAN is not provided in CSR. There are related lines of investigation. Will provide update tomorrow. #4752 Provide an IEC 62351-8 / DNP3 ID certificate profile We can provide a profile that supports DNP3 extension now if it is included in a CSR extension request. The patches for IEC 62351-8 extension is in review. Once that is in Dogtag we will be able to provide a profile that supports it with an extensionRequest in CSR. #3473 Switch to using RESTful interface in dogtag CA interface Postpone; there is not an urgent need. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code