[Freeipa-devel] Re: Certificate enrollment, principal names
Simo Sorce
ssorce at redhat.com
Thu Nov 5 19:22:03 UTC 2009
On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
>
> This is about right. What you're missing is storing the certificate
> in
> the service record. To do this we need to know what the target is.
>
> Nalin and I simply took two different approaches to sending this. We
> can
> easily support either method by making the principal an optional
> attribute and looking for it in the CSR if not provided (assuming I
> can
> get my head around PKCS#10 enough to grab attributes).
Given we should prevent "tricks" from people the server side should
really parse the CSR and validate it against the ACL IMO.
Otherwise do we have any other part that checks that host
foo.example.com is asking a certificate for itself and not for
bar.example.com ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list