Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8942

Support issuing certificates with IP Address Subject Alternative Names

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.5.3
    • Component/s: Docs
    • Labels:
    • Template:
    • Team:
      Froyo
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Users can now use IP addresses for the dns-alt-names options and settings. DNS subject alternative names should be prefixed with "DNS:" while IP names should be prefixed with "IP:".
    • QA Risk Assessment:
      No Action

      Description

      Puppet Server currently supports and signs CSRs with a DNS SAN, but 'puppet generate' doesn't have an option to generate with an IP SAN, and Puppet Server has no flag to accept that. IP SANs are needed for a growing number of tools written in Golang, including Hashicorp's Vault.

      subject altnames must be configured via the CLI. security issues otherwise

      puppet cert generate command.
      this is not faced based, so we are probably cool updating and retaining this subcommand.

      multiple dns based altnames should still be supported, comma separated

      Out of scope
      We should file a separate ticket for changing the name of the flag to subject_alt_names, since this will need some more careful consideration of the interactions between, flags, settings, faces, and applications.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              amy.lazarte Amy Lazarte
              Reporter:
              mtastrostl Justin Honold
              Votes:
              3 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support