[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

Jan Cholasta jcholast at redhat.com
Fri Jan 17 10:39:07 UTC 2014 

On 10.1.2014 13:34, Martin Kosek wrote:
> On 01/09/2014 04:49 PM, Simo Sorce wrote:
>> On Thu, 2014-01-09 at 10:44 -0500, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 01/09/2014 03:12 PM, Simo Sorce wrote:
>>
>>>>>> Also maybe we should allow admins to bypass the need to have an actual
>>>>>> object to represent the alt name ?
>>>
>>> I'd rather not. This would allow a rogue admin to create a cert for
>>> www.google.com. Sure, they could also create a host for that but forcing
>>> them to add more entries increases the chances of them getting caught
>>> doing it.
>>
>> They can remove the host right after they create a cert, I honestly do
>> not think this is a valid concern. If your admin is rouge he can already
>> take full ownership of your infrastructure in many ways, preventing
>> setting a name in a cert doesn't really make a difference IMO.
>>
>> However I would be ok to limit this to some new "Security Admin/CA
>> Admin" role that is not assigned by default.
>>
>> Simo.
>>
>
> Ok, let's reach some conclusion here. I would really like to not defer this
> feature for too long, it is quite wanted. Would creating new virtual operation
> "Request certificate with SAN" make the situation better? It would not be so
> difficult to do, the check_access function can already access virtual operation
> name as a parameter, we just need to call it.

Why don't we treat SAN hostnames the same way as the subject hostname? 
The way I see it, with SAN the only difference is that there is a set of 
hostnames instead of just a single hostname, so maybe we should support 
requesting a certificate for a set of hosts/services instead of just a 
single host/service.

As far as authorization is concerned, currently you can request a 
certificate for a single host/service, if you have the "Request 
certificate" permission and write access to the host/service entry. With 
multiple hosts/services, you would be able to request a certificate if 
you have the "Request certificate" permission and write access to *all* 
of the host/certificate entries you are requesting the certificate for.

Effectively this means that cert-request would accept multiple 
principals instead of single principal and the automatic revocation code 
in cert-request, host-del and service-del would take into account that a 
single certificate might be assigned to multiple entities.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list