Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2267

Puppetserver should allow signing certificates with IP subject alternative names

          Details

          • Type: New Feature
          • Status: Closed
          • Priority: Normal
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: SERVER 6.0.1
          • Component/s: None
          • Labels:
            None
          • Template:
          • Acceptance Criteria:
            • Puppetserver can sign CSRs with IP subject alternative names
          • Epic Link:
          • Team:
            Server
          • Release Notes:
            New Feature
          • Release Notes Summary:
            The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled).
          • QA Risk Assessment:
            Needs Assessment

            Description

            In PUP-8942, we updated the Ruby CA code to allow signing of certificates with IP subject alternative names in addition to DNS names. We should make analogous changes to the Clojure CA code. See https://github.com/puppetlabs/puppetserver/blob/6.0.0/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L669.

            Currently this code is only accessible during bootstrapping, because we currently disallow signing certificates with SANs via the API. However, the requirement that we allow users to use IP alternative names will probably also be relevant for the puppetserver ca setup command that will replace Pupeptserver's bootstrapping code (see SERVER-2255) and also for however we implement allows SANs for the puppetserver ca sign command.

              Attachments

                Issue Links

                relates to

                Sub-task - The sub-task of the issue SERVER-2255 Create `generate` subcommand for the CA CLI tool

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                Sub-task - The sub-task of the issue SERVER-2257 Create a `sign` subcommand for the new CA CLI

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                Sub-task - The sub-task of the issue SERVER-2263 Create a subcommand for generating a new key and certificate via the CA CLI

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                New Feature - A new feature of the product, which has yet to be developed. PUP-8942 Support issuing certificates with IP Address Subject Alternative Names

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                  Activity

                    jsd-sla-details-panel

                      People

                      • Assignee:
                        amy.sahli Amy Sahli
                        Reporter:
                        maggie Maggie Dreyer
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        4 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved: