[SERVER-2267] Puppetserver should allow signing certificates with IP subject alternative names - Puppet Tickets

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: SERVER 6.0.1
Component/s: None
Labels:
None

Acceptance Criteria:
- Puppetserver can sign CSRs with IP subject alternative names
Epic Link:
Clojure CA Service
Team:
Froyo

Release Notes:
New Feature
Release Notes Summary:
The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled).

QA Risk Assessment:
Needs Assessment

Description

In ~~PUP-8942~~, we updated the Ruby CA code to allow signing of certificates with IP subject alternative names in addition to DNS names. We should make analogous changes to the Clojure CA code. See https://github.com/puppetlabs/puppetserver/blob/6.0.0/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L669.

Currently this code is only accessible during bootstrapping, because we currently disallow signing certificates with SANs via the API. However, the requirement that we allow users to use IP alternative names will probably also be relevant for the puppetserver ca setup command that will replace Pupeptserver's bootstrapping code (see ~~SERVER-2255~~) and also for however we implement allows SANs for the puppetserver ca sign command.

Attachments

Issue Links

relates to

SERVER-2255 Create `generate` subcommand for the CA CLI tool

Closed

SERVER-2257 Create a `sign` subcommand for the new CA CLI

Closed

SERVER-2263 Create a subcommand for generating a new key and certificate via the CA CLI

Closed

PUP-8942 Support issuing certificates with IP Address Subject Alternative Names

Closed

Activity

People

Assignee:: Amy Sahli

Reporter:: Maggie Dreyer

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018/08/02 11:15 AM

Updated:: 2018/10/02 12:45 PM

Resolved:: 2018/09/27 8:07 AM