Discussion for devs: once this is merged should I updated all the included service-oriented profiles (e.g. caCAcert; not user or CA cert profiles) to add this profile component?
IMO we should do it, but we should not automatically update existing installations. Instead, we (I) can produce a KBase article about using the new component. Let me know what you think. Cheers, Fraser On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote: > On 02/01/2017 12:25 AM, Fraser Tweedale wrote: > > Hi all, > > > > The attached patches implement the long-desired feature to copy CN > > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710). > > > > I've also pushed the branch to my GitHub repo; feel free to review > > the patches there: > > https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san > > > > Thanks, > > Fraser > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > Fraser, > > In order to review this patch, I am going to apply it and make a scratch > build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for > us. > > If they give us their approval, you can consider yourself granted an ACK on > this patch and check it into master so that I can cherry-pick it into the > 10.3 branches. > > -- Matt > > P. S. - FYI, the following conversation took place on #cs today: > > <mharmsen> dminnich,walrus: ftweedal has released a patch for > https://fedorahosted.org/pki/ticket/1710 - Add profile component > that copies CN to SAN -- if I applied that patch to a 10.3.3 > pki-core for RHEL 7.3, could you guys test it out, or in order to > test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL > 7.2 like last time? > <walrus> mharmsen: having a scratch build of 7.2 would be quickest > <walrus> we are just now planning the 7.3 upgrade, which will take > some time to get into dev > <mharmsen> walrus: okay, I can try to see if I can do that, but > remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1 > <walrus> yeah we should be on 7.3 in a month or so... a lot of > things to test on a lot of servers :) > <walrus> csnell|wfh: ^^^ > <mharmsen> walrus: completely understood! LOL > <dminnich> mharmsen: that will be a very welcome patch > <dminnich> mharmsen: do you happen to know if ACLs work against SANs? > <mharmsen> dminnich: not off the top of my head > <mharmsen> edewata, cfu, jmagne: ^^^? > <dminnich> that is something on our to investigate list as well > <mharmsen> dminnich: I am going to drop an email to ftweedal, and I > will ask that question > <edewata> mharmsen: no idea about SAN > <jmagne> mharmsen, don't know > <cfu> dminnich, mharmsen , what does that mean? > <dminnich> cfu: right now we allow only people in LDAP group X to > issue certs for domains that meet Y regex. but we don't check > SANs. so somebody could CN=blah.devlab.com and get approved but add > a SAN for www.redhat.com and we don't deny it > <edewata> dminnich: where is X & Y defined? > <dminnich> > > https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n12 > > https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n26 > <dminnich> edewata: ^ some of that might be added by puppet later. but > thats the gist > <edewata> dminnich: ok, it's in profile, not ACL > <dminnich> authz.acl=group and constraints > <cfu> dminnich, dminnich ah, I see. so it's like a pattern > constraint just like what we have for subject name now in the > profile. Yeah, you can write a constraint plugin for that > <cfu> dminnich, anyway, feel free to file a ticket for it. > <dminnich> cfu: will do > _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel