Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2267

Puppetserver should allow signing certificates with IP subject alternative names

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • SERVER 6.0.1
    • None
    • None
      • Puppetserver can sign CSRs with IP subject alternative names
    • Froyo
    • New Feature
    • The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled).
    • Needs Assessment

    Description

      In PUP-8942, we updated the Ruby CA code to allow signing of certificates with IP subject alternative names in addition to DNS names. We should make analogous changes to the Clojure CA code. See https://github.com/puppetlabs/puppetserver/blob/6.0.0/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L669.

      Currently this code is only accessible during bootstrapping, because we currently disallow signing certificates with SANs via the API. However, the requirement that we allow users to use IP alternative names will probably also be relevant for the puppetserver ca setup command that will replace Pupeptserver's bootstrapping code (see SERVER-2255) and also for however we implement allows SANs for the puppetserver ca sign command.

      Attachments

        Issue Links

          Activity

            People

              amy.sahli Amy Sahli
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support